Edit tour

Windows Analysis Report
NYQbqD59m8.exe

Overview

General Information

Sample name:	NYQbqD59m8.exe renamed because original name is a hash value
Original sample name:	2D5B4052BA6E888D0A2E8B044BC04651.exe
Analysis ID:	1485500
MD5:	2d5b4052ba6e888d0a2e8b044bc04651
SHA1:	7c23a7ea336ceb57d3c9d43b38b5d7e6b2265443
SHA256:	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

NYQbqD59m8.exe (PID: 1708 cmdline: "C:\Users\user\Desktop\NYQbqD59m8.exe" MD5: 2D5B4052BA6E888D0A2E8B044BC04651)

schtasks.exe (PID: 1288 cmdline: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3712 cmdline: "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAB1F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NYQbqD59m8.exe (PID: 5756 cmdline: C:\Users\user\Desktop\NYQbqD59m8.exe 0 MD5: 2D5B4052BA6E888D0A2E8B044BC04651)

dnshost.exe (PID: 5320 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" 0 MD5: 2D5B4052BA6E888D0A2E8B044BC04651)

dnshost.exe (PID: 1992 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 2D5B4052BA6E888D0A2E8B044BC04651)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "3425541e-8f39-4854-8b6f-412dbeb4", "Group": "Default", "Domain1": "6.tcp.eu.ngrok.io", "Domain2": "", "Port": 13201, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NYQbqD59m8.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
NYQbqD59m8.exe	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
NYQbqD59m8.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
NYQbqD59m8.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
NYQbqD59m8.exe	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
NYQbqD59m8.exe	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DNS Host\dnshost.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DNS Host\dnshost.exe	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
C:\Program Files (x86)\DNS Host\dnshost.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Program Files (x86)\DNS Host\dnshost.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DNS Host\dnshost.exe	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
C:\Program Files (x86)\DNS Host\dnshost.exe	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000008.00000002.2222973541.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x7fc0:$a2: NanoCore.ClientPlugin
00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfcf5:$v1: NanoCore Client 0xfd05:$v1: NanoCore Client 0x115c6:$v2: PluginCommand 0x115ae:$v3: CommandType
00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x62ffd:$a1: NanoCore.ClientPluginHost 0x6bd87:$a1: NanoCore.ClientPluginHost 0x7c045:$a1: NanoCore.ClientPluginHost 0x891fb:$a1: NanoCore.ClientPluginHost 0x93127:$a1: NanoCore.ClientPluginHost 0x9b099:$a1: NanoCore.ClientPluginHost 0xa10b8:$a1: NanoCore.ClientPluginHost 0xaab6f:$a1: NanoCore.ClientPluginHost 0xb50f7:$a1: NanoCore.ClientPluginHost 0xc0125:$a1: NanoCore.ClientPluginHost 0xcbf17:$a1: NanoCore.ClientPluginHost 0xd7d72:$a1: NanoCore.ClientPluginHost 0x62fc0:$a2: NanoCore.ClientPlugin 0x6bd62:$a2: NanoCore.ClientPlugin 0x7c01f:$a2: NanoCore.ClientPlugin 0x89277:$a2: NanoCore.ClientPlugin 0x931a3:$a2: NanoCore.ClientPlugin 0x9b113:$a2: NanoCore.ClientPlugin 0xa1102:$a2: NanoCore.ClientPlugin 0xaac59:$a2: NanoCore.ClientPlugin 0xb5197:$a2: NanoCore.ClientPlugin
00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x62f67:$a: NanoCore 0x62fc0:$a: NanoCore 0x62ffd:$a: NanoCore 0x63076:$a: NanoCore 0x6bd62:$a: NanoCore 0x6bd87:$a: NanoCore 0x6bde0:$a: NanoCore 0x7c01f:$a: NanoCore 0x7c045:$a: NanoCore 0x7c0a1:$a: NanoCore 0x88f43:$a: NanoCore 0x88f9c:$a: NanoCore 0x88fcf:$a: NanoCore 0x891fb:$a: NanoCore 0x89277:$a: NanoCore 0x89890:$a: NanoCore 0x899d9:$a: NanoCore 0x89ead:$a: NanoCore 0x8a194:$a: NanoCore 0x8a1ab:$a: NanoCore 0x93127:$a: NanoCore
00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x62ef5:$a1: NanoCore.ClientPluginHost 0x6bc7f:$a1: NanoCore.ClientPluginHost 0x7bf3d:$a1: NanoCore.ClientPluginHost 0x890f3:$a1: NanoCore.ClientPluginHost 0x9301f:$a1: NanoCore.ClientPluginHost 0x9af91:$a1: NanoCore.ClientPluginHost 0xa0fb0:$a1: NanoCore.ClientPluginHost 0xaaa67:$a1: NanoCore.ClientPluginHost 0xb4fef:$a1: NanoCore.ClientPluginHost 0xc001d:$a1: NanoCore.ClientPluginHost 0xcbe0f:$a1: NanoCore.ClientPluginHost 0xd7c6a:$a1: NanoCore.ClientPluginHost 0x62eb8:$a2: NanoCore.ClientPlugin 0x6bc5a:$a2: NanoCore.ClientPlugin 0x7bf17:$a2: NanoCore.ClientPlugin 0x8916f:$a2: NanoCore.ClientPlugin 0x9309b:$a2: NanoCore.ClientPlugin 0x9b00b:$a2: NanoCore.ClientPlugin 0xa0ffa:$a2: NanoCore.ClientPlugin 0xaab51:$a2: NanoCore.ClientPlugin 0xb508f:$a2: NanoCore.ClientPlugin
00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x62e5f:$a: NanoCore 0x62eb8:$a: NanoCore 0x62ef5:$a: NanoCore 0x62f6e:$a: NanoCore 0x6bc5a:$a: NanoCore 0x6bc7f:$a: NanoCore 0x6bcd8:$a: NanoCore 0x7bf17:$a: NanoCore 0x7bf3d:$a: NanoCore 0x7bf99:$a: NanoCore 0x88e3b:$a: NanoCore 0x88e94:$a: NanoCore 0x88ec7:$a: NanoCore 0x890f3:$a: NanoCore 0x8916f:$a: NanoCore 0x89788:$a: NanoCore 0x898d1:$a: NanoCore 0x89da5:$a: NanoCore 0x8a08c:$a: NanoCore 0x8a0a3:$a: NanoCore 0x9301f:$a: NanoCore
00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x19225:$a1: NanoCore.ClientPluginHost 0x21d9f:$a1: NanoCore.ClientPluginHost 0x31fc9:$a1: NanoCore.ClientPluginHost 0x3f13b:$a1: NanoCore.ClientPluginHost 0x48f93:$a1: NanoCore.ClientPluginHost 0x50ec1:$a1: NanoCore.ClientPluginHost 0x56e9c:$a1: NanoCore.ClientPluginHost 0x6090f:$a1: NanoCore.ClientPluginHost 0x6ad43:$a1: NanoCore.ClientPluginHost 0x75d2d:$a1: NanoCore.ClientPluginHost 0x81adb:$a1: NanoCore.ClientPluginHost 0x8d86a:$a1: NanoCore.ClientPluginHost 0x191e8:$a2: NanoCore.ClientPlugin 0x21d7a:$a2: NanoCore.ClientPlugin 0x31fa3:$a2: NanoCore.ClientPlugin 0x3f1b7:$a2: NanoCore.ClientPlugin 0x4900f:$a2: NanoCore.ClientPlugin 0x50f3b:$a2: NanoCore.ClientPlugin 0x56ee6:$a2: NanoCore.ClientPlugin 0x609f9:$a2: NanoCore.ClientPlugin 0x6ade3:$a2: NanoCore.ClientPlugin
00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1918f:$a: NanoCore 0x191e8:$a: NanoCore 0x19225:$a: NanoCore 0x1929e:$a: NanoCore 0x21d7a:$a: NanoCore 0x21d9f:$a: NanoCore 0x21df8:$a: NanoCore 0x31fa3:$a: NanoCore 0x31fc9:$a: NanoCore 0x32025:$a: NanoCore 0x3ee83:$a: NanoCore 0x3eedc:$a: NanoCore 0x3ef0f:$a: NanoCore 0x3f13b:$a: NanoCore 0x3f1b7:$a: NanoCore 0x3f7d0:$a: NanoCore 0x3f919:$a: NanoCore 0x3fded:$a: NanoCore 0x400d4:$a: NanoCore 0x400eb:$a: NanoCore 0x48f93:$a: NanoCore
00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10443b:$a1: NanoCore.ClientPluginHost 0x10cfad:$a1: NanoCore.ClientPluginHost 0x11d1c9:$a1: NanoCore.ClientPluginHost 0x12a332:$a1: NanoCore.ClientPluginHost 0x134184:$a1: NanoCore.ClientPluginHost 0x13c0aa:$a1: NanoCore.ClientPluginHost 0x14207b:$a1: NanoCore.ClientPluginHost 0x14bae7:$a1: NanoCore.ClientPluginHost 0x155f12:$a1: NanoCore.ClientPluginHost 0x160eef:$a1: NanoCore.ClientPluginHost 0x16cc91:$a1: NanoCore.ClientPluginHost 0x182169:$a1: NanoCore.ClientPluginHost 0x1aa3cb:$a1: NanoCore.ClientPluginHost 0x1b980b:$a1: NanoCore.ClientPluginHost 0x1d1b95:$a1: NanoCore.ClientPluginHost 0x1f9de3:$a1: NanoCore.ClientPluginHost 0x1043fe:$a2: NanoCore.ClientPlugin 0x10cf88:$a2: NanoCore.ClientPlugin 0x11d1a3:$a2: NanoCore.ClientPlugin 0x12a3ae:$a2: NanoCore.ClientPlugin 0x134200:$a2: NanoCore.ClientPlugin
00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1043a5:$a: NanoCore 0x1043fe:$a: NanoCore 0x10443b:$a: NanoCore 0x1044b4:$a: NanoCore 0x10cf88:$a: NanoCore 0x10cfad:$a: NanoCore 0x10d006:$a: NanoCore 0x11d1a3:$a: NanoCore 0x11d1c9:$a: NanoCore 0x11d225:$a: NanoCore 0x12a07a:$a: NanoCore 0x12a0d3:$a: NanoCore 0x12a106:$a: NanoCore 0x12a332:$a: NanoCore 0x12a3ae:$a: NanoCore 0x12a9c7:$a: NanoCore 0x12ab10:$a: NanoCore 0x12afe4:$a: NanoCore 0x12b2cb:$a: NanoCore 0x12b2e2:$a: NanoCore 0x134184:$a: NanoCore
Process Memory Space: NYQbqD59m8.exe PID: 1708	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: NYQbqD59m8.exe PID: 1708	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x17d04:$a1: NanoCore.ClientPluginHost 0x311db:$a1: NanoCore.ClientPluginHost 0x3aa12:$a1: NanoCore.ClientPluginHost 0x42372:$a1: NanoCore.ClientPluginHost 0x89532:$a1: NanoCore.ClientPluginHost 0x8d931:$a1: NanoCore.ClientPluginHost 0x90b74:$a1: NanoCore.ClientPluginHost 0x9473d:$a1: NanoCore.ClientPluginHost 0xa4085:$a1: NanoCore.ClientPluginHost 0xa8e11:$a1: NanoCore.ClientPluginHost 0xb22a1:$a1: NanoCore.ClientPluginHost 0xba62f:$a1: NanoCore.ClientPluginHost 0xd17bf:$a1: NanoCore.ClientPluginHost 0xd3d40:$a1: NanoCore.ClientPluginHost 0xd581c:$a1: NanoCore.ClientPluginHost 0xe553a:$a1: NanoCore.ClientPluginHost 0x17cdb:$a2: NanoCore.ClientPlugin 0x311b2:$a2: NanoCore.ClientPlugin 0x3a9d5:$a2: NanoCore.ClientPlugin 0x42335:$a2: NanoCore.ClientPlugin 0x895ae:$a2: NanoCore.ClientPlugin
Process Memory Space: NYQbqD59m8.exe PID: 1708	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x70b5:$a: NanoCore 0x728a:$a: NanoCore 0x72d7:$a: NanoCore 0x7707:$a: NanoCore 0x7720:$a: NanoCore 0x7899:$a: NanoCore 0x17cc3:$a: NanoCore 0x17cdb:$a: NanoCore 0x17d04:$a: NanoCore 0x1cafc:$a: NanoCore 0x1cb12:$a: NanoCore 0x1cb39:$a: NanoCore 0x2ec7c:$a: NanoCore 0x311b2:$a: NanoCore 0x311db:$a: NanoCore 0x35d5c:$a: NanoCore 0x35d83:$a: NanoCore 0x3a97c:$a: NanoCore 0x3a9d5:$a: NanoCore 0x3aa12:$a: NanoCore 0x3aa8b:$a: NanoCore
Process Memory Space: NYQbqD59m8.exe PID: 1708	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x17d04:$x1: NanoCore.ClientPluginHost 0x311db:$x1: NanoCore.ClientPluginHost 0x3aa12:$x1: NanoCore.ClientPluginHost 0x42372:$x1: NanoCore.ClientPluginHost 0x89532:$x1: NanoCore.ClientPluginHost 0x8d931:$x1: NanoCore.ClientPluginHost 0x90b74:$x1: NanoCore.ClientPluginHost 0x9473d:$x1: NanoCore.ClientPluginHost 0xa4085:$x1: NanoCore.ClientPluginHost 0xa8e11:$x1: NanoCore.ClientPluginHost 0xb22a1:$x1: NanoCore.ClientPluginHost 0xba62f:$x1: NanoCore.ClientPluginHost 0xd17bf:$x1: NanoCore.ClientPluginHost 0xd3d40:$x1: NanoCore.ClientPluginHost 0xd581c:$x1: NanoCore.ClientPluginHost 0xe553a:$x1: NanoCore.ClientPluginHost 0x17d1e:$x2: IClientNetworkHost 0x311f5:$x2: IClientNetworkHost 0x3aa2c:$x2: IClientNetworkHost 0x4238c:$x2: IClientNetworkHost 0x8956b:$x2: IClientNetworkHost
Process Memory Space: NYQbqD59m8.exe PID: 1708	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x2ec7c:$v1: NanoCore Client 0x3cc0f:$v1: NanoCore Client 0x3cd16:$v1: NanoCore Client 0xba2fc:$v1: NanoCore Client 0xba30c:$v1: NanoCore Client 0xba3cb:$v1: NanoCore Client 0xba3da:$v1: NanoCore Client 0x59c48:$v2: PluginCommand 0x5d869:$v2: PluginCommand 0x89da4:$v2: PluginCommand 0xbbc26:$v2: PluginCommand 0xc6dbf:$v2: PluginCommand 0xd23d2:$v2: PluginCommand 0x1855e:$v3: CommandType 0x1d855:$v3: CommandType 0x31e9d:$v3: CommandType 0x369d8:$v3: CommandType 0x44616:$v3: CommandType 0x47f6f:$v3: CommandType 0x532cb:$v3: CommandType 0x5b857:$v3: CommandType
Process Memory Space: NYQbqD59m8.exe PID: 5756	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: NYQbqD59m8.exe PID: 5756	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf581:$a1: NanoCore.ClientPluginHost 0x4dd50:$a1: NanoCore.ClientPluginHost 0xf544:$a2: NanoCore.ClientPlugin 0x4dd13:$a2: NanoCore.ClientPlugin 0xf839:$b1: get_BuilderSettings 0x4e0ca:$b1: get_BuilderSettings 0xf5cf:$b4: IClientAppHost 0x4dd9e:$b4: IClientAppHost 0xf8aa:$b6: AddHostEntry 0x4e13b:$b6: AddHostEntry 0x9563:$b7: LogClientException 0x4e1aa:$b7: LogClientException 0xf88e:$b8: PipeExists 0x4e11f:$b8: PipeExists 0xf5bc:$b9: IClientLoggingHost 0x4dd8b:$b9: IClientLoggingHost
Process Memory Space: NYQbqD59m8.exe PID: 5756	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c65:$a: NanoCore 0x3cd2:$a: NanoCore 0x3d45:$a: NanoCore 0xf4eb:$a: NanoCore 0xf544:$a: NanoCore 0xf581:$a: NanoCore 0xf5fa:$a: NanoCore 0xfd5e:$a: NanoCore 0xfdb1:$a: NanoCore 0xfdea:$a: NanoCore 0xfe5d:$a: NanoCore 0x141c3:$a: NanoCore 0x141e6:$a: NanoCore 0x1423b:$a: NanoCore 0x1ef1b:$a: NanoCore 0x1ef3f:$a: NanoCore 0x1ef97:$a: NanoCore 0x263d6:$a: NanoCore 0x263f1:$a: NanoCore 0x26417:$a: NanoCore 0x26674:$a: NanoCore
Process Memory Space: NYQbqD59m8.exe PID: 5756	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3c65:$v1: NanoCore Client 0x3cd2:$v1: NanoCore Client 0x3d45:$v1: NanoCore Client 0x43c22:$v1: NanoCore Client 0x477e6:$v1: NanoCore Client 0x478b5:$v1: NanoCore Client 0x478c9:$v1: NanoCore Client 0x26760:$v2: PluginCommand 0x2a36b:$v2: PluginCommand 0x6564b:$v2: PluginCommand 0x69272:$v2: PluginCommand 0xca51:$v3: CommandType 0xdc33:$v3: CommandType 0x14cdf:$v3: CommandType 0x1fdec:$v3: CommandType 0x28367:$v3: CommandType 0x29fbd:$v3: CommandType 0x2a3cc:$v3: CommandType 0x2b675:$v3: CommandType 0x2d496:$v3: CommandType 0x36a7f:$v3: CommandType
Process Memory Space: dnshost.exe PID: 5320	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbe80:$a1: NanoCore.ClientPluginHost 0xbe43:$a2: NanoCore.ClientPlugin 0xc138:$b1: get_BuilderSettings 0xbece:$b4: IClientAppHost 0xc1a9:$b6: AddHostEntry 0x5e62:$b7: LogClientException 0xc18d:$b8: PipeExists 0xbebb:$b9: IClientLoggingHost
Process Memory Space: dnshost.exe PID: 5320	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55c:$a: NanoCore 0x5c9:$a: NanoCore 0x63c:$a: NanoCore 0xbdea:$a: NanoCore 0xbe43:$a: NanoCore 0xbe80:$a: NanoCore 0xbef9:$a: NanoCore 0xc65d:$a: NanoCore 0xc6b0:$a: NanoCore 0xc6e9:$a: NanoCore 0xc75c:$a: NanoCore 0x10ac2:$a: NanoCore 0x10ae5:$a: NanoCore 0x10b3a:$a: NanoCore 0x1b81a:$a: NanoCore 0x1b83e:$a: NanoCore 0x1b896:$a: NanoCore 0x22cd5:$a: NanoCore 0x22cf0:$a: NanoCore 0x22d16:$a: NanoCore 0x22f73:$a: NanoCore
Process Memory Space: dnshost.exe PID: 5320	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x55c:$v1: NanoCore Client 0x5c9:$v1: NanoCore Client 0x63c:$v1: NanoCore Client 0x40548:$v1: NanoCore Client 0x45741:$v1: NanoCore Client 0x4577d:$v1: NanoCore Client 0x2305f:$v2: PluginCommand 0x26c6a:$v2: PluginCommand 0x9350:$v3: CommandType 0xa532:$v3: CommandType 0x115de:$v3: CommandType 0x1c6eb:$v3: CommandType 0x24c66:$v3: CommandType 0x268bc:$v3: CommandType 0x26ccb:$v3: CommandType 0x27f74:$v3: CommandType 0x29d95:$v3: CommandType 0x3337e:$v3: CommandType 0x39a3d:$v3: CommandType 0x3cbed:$v3: CommandType
Process Memory Space: dnshost.exe PID: 1992	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x994f:$a2: NanoCore.ClientPlugin
Click to see the 66 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.NYQbqD59m8.exe.6510000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6510000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6510000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6480000.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6480000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6480000.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6100000.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
0.2.NYQbqD59m8.exe.6100000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6100000.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6510000.16.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6510000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6510000.16.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.64d0000.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64d0000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64d0000.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
0.2.NYQbqD59m8.exe.65b0000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.65b0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.65b0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6520000.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.NYQbqD59m8.exe.6520000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6520000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6520000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
6.2.NYQbqD59m8.exe.2ff4398.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
6.2.NYQbqD59m8.exe.2ff4398.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.2ff4398.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
6.2.NYQbqD59m8.exe.4095624.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
6.2.NYQbqD59m8.exe.4095624.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.4095624.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6570000.21.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6570000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6570000.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
7.2.dnshost.exe.2a881cc.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
7.2.dnshost.exe.2a881cc.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
7.2.dnshost.exe.2a881cc.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.64c0000.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64c0000.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64c0000.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
0.2.NYQbqD59m8.exe.6110000.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6110000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6110000.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
7.2.dnshost.exe.2a944a0.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
7.2.dnshost.exe.2a944a0.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.2.dnshost.exe.2a944a0.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.64f0000.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64f0000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64f0000.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
6.2.NYQbqD59m8.exe.2fe80c4.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
6.2.NYQbqD59m8.exe.2fe80c4.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.2fe80c4.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6524629.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.NYQbqD59m8.exe.6524629.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6524629.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6524629.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
6.2.NYQbqD59m8.exe.40893f2.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
6.2.NYQbqD59m8.exe.40893f2.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.40893f2.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
8.2.dnshost.exe.2eb3188.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38:$a2: NanoCore.ClientPlugin
8.2.dnshost.exe.2eb3188.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xe65:$i5: IClientDataHost 0xe41:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6100000.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
0.2.NYQbqD59m8.exe.6100000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6100000.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.353a424.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.353a424.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.353a424.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.64a0000.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.64a0000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.64a0000.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6110000.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6110000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6110000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6490000.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6490000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6490000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
0.2.NYQbqD59m8.exe.6570000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6570000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6570000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6490000.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6490000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6490000.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.NYQbqD59m8.exe.352e1e4.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
0.2.NYQbqD59m8.exe.352e1e4.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.352e1e4.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
0.2.NYQbqD59m8.exe.6520000.18.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.NYQbqD59m8.exe.6520000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
0.2.NYQbqD59m8.exe.6520000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.6520000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d5b:$a1: NanoCore.ClientPluginHost 0x1fc87:$a1: NanoCore.ClientPluginHost 0x27bf9:$a1: NanoCore.ClientPluginHost 0x2dc18:$a1: NanoCore.ClientPluginHost 0x376cf:$a1: NanoCore.ClientPluginHost 0x41c57:$a1: NanoCore.ClientPluginHost 0x4cc85:$a1: NanoCore.ClientPluginHost 0x58a77:$a1: NanoCore.ClientPluginHost 0x648d2:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15dd7:$a2: NanoCore.ClientPlugin 0x1fd03:$a2: NanoCore.ClientPlugin 0x27c73:$a2: NanoCore.ClientPlugin 0x2dc62:$a2: NanoCore.ClientPlugin 0x377b9:$a2: NanoCore.ClientPlugin 0x41cf7:$a2: NanoCore.ClientPlugin 0x4cc5c:$a2: NanoCore.ClientPlugin 0x58a4e:$a2: NanoCore.ClientPlugin 0x648ad:$a2: NanoCore.ClientPlugin 0x648c3:$b4: IClientAppHost
6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aa3:$a: NanoCore 0x15afc:$a: NanoCore 0x15b2f:$a: NanoCore 0x15d5b:$a: NanoCore 0x15dd7:$a: NanoCore 0x163f0:$a: NanoCore 0x16539:$a: NanoCore 0x16a0d:$a: NanoCore 0x16cf4:$a: NanoCore 0x16d0b:$a: NanoCore 0x1fc87:$a: NanoCore 0x1fd03:$a: NanoCore 0x225e6:$a: NanoCore 0x27bf9:$a: NanoCore 0x27c73:$a: NanoCore 0x2dc18:$a: NanoCore 0x2dc62:$a: NanoCore 0x2e8bc:$a: NanoCore
6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d5b:$x1: NanoCore.ClientPluginHost 0x1fc87:$x1: NanoCore.ClientPluginHost 0x27bf9:$x1: NanoCore.ClientPluginHost 0x2dc18:$x1: NanoCore.ClientPluginHost 0x376cf:$x1: NanoCore.ClientPluginHost 0x41c57:$x1: NanoCore.ClientPluginHost 0x4cc85:$x1: NanoCore.ClientPluginHost 0x58a77:$x1: NanoCore.ClientPluginHost 0x648d2:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d94:$x2: IClientNetworkHost 0x1fcc0:$x2: IClientNetworkHost 0x27c32:$x2: IClientNetworkHost 0x3782c:$x2: IClientNetworkHost 0x41c90:$x2: IClientNetworkHost 0x4cc9f:$x2: IClientNetworkHost 0x58a91:$x2: IClientNetworkHost 0x6490f:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15dd7:$x2: NanoCore.ClientPlugin 0x1fd03:$x2: NanoCore.ClientPlugin 0x27c73:$x2: NanoCore.ClientPlugin 0x2dc62:$x2: NanoCore.ClientPlugin 0x377b9:$x2: NanoCore.ClientPlugin 0x41cf7:$x2: NanoCore.ClientPlugin 0x4cc5c:$x2: NanoCore.ClientPlugin 0x58a4e:$x2: NanoCore.ClientPlugin 0x648ad:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d5b:$x3: NanoCore.ClientPluginHost 0x1fc87:$x3: NanoCore.ClientPluginHost 0x27bf9:$x3: NanoCore.ClientPluginHost 0x2dc18:$x3: NanoCore.ClientPluginHost 0x376cf:$x3: NanoCore.ClientPluginHost 0x41c57:$x3: NanoCore.ClientPluginHost 0x4cc85:$x3: NanoCore.ClientPluginHost 0x58a77:$x3: NanoCore.ClientPluginHost 0x648d2:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
7.2.dnshost.exe.2a944a0.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d5b:$a1: NanoCore.ClientPluginHost 0x1fc87:$a1: NanoCore.ClientPluginHost 0x27bf9:$a1: NanoCore.ClientPluginHost 0x2dc18:$a1: NanoCore.ClientPluginHost 0x376cf:$a1: NanoCore.ClientPluginHost 0x41c57:$a1: NanoCore.ClientPluginHost 0x4cc85:$a1: NanoCore.ClientPluginHost 0x58a77:$a1: NanoCore.ClientPluginHost 0x648d2:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15dd7:$a2: NanoCore.ClientPlugin 0x1fd03:$a2: NanoCore.ClientPlugin 0x27c73:$a2: NanoCore.ClientPlugin 0x2dc62:$a2: NanoCore.ClientPlugin 0x377b9:$a2: NanoCore.ClientPlugin 0x41cf7:$a2: NanoCore.ClientPlugin 0x4cc5c:$a2: NanoCore.ClientPlugin 0x58a4e:$a2: NanoCore.ClientPlugin 0x648ad:$a2: NanoCore.ClientPlugin 0x648c3:$b4: IClientAppHost
7.2.dnshost.exe.2a944a0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aa3:$a: NanoCore 0x15afc:$a: NanoCore 0x15b2f:$a: NanoCore 0x15d5b:$a: NanoCore 0x15dd7:$a: NanoCore 0x163f0:$a: NanoCore 0x16539:$a: NanoCore 0x16a0d:$a: NanoCore 0x16cf4:$a: NanoCore 0x16d0b:$a: NanoCore 0x1fc87:$a: NanoCore 0x1fd03:$a: NanoCore 0x225e6:$a: NanoCore 0x27bf9:$a: NanoCore 0x27c73:$a: NanoCore 0x2dc18:$a: NanoCore 0x2dc62:$a: NanoCore 0x2e8bc:$a: NanoCore
7.2.dnshost.exe.2a944a0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d5b:$x1: NanoCore.ClientPluginHost 0x1fc87:$x1: NanoCore.ClientPluginHost 0x27bf9:$x1: NanoCore.ClientPluginHost 0x2dc18:$x1: NanoCore.ClientPluginHost 0x376cf:$x1: NanoCore.ClientPluginHost 0x41c57:$x1: NanoCore.ClientPluginHost 0x4cc85:$x1: NanoCore.ClientPluginHost 0x58a77:$x1: NanoCore.ClientPluginHost 0x648d2:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d94:$x2: IClientNetworkHost 0x1fcc0:$x2: IClientNetworkHost 0x27c32:$x2: IClientNetworkHost 0x3782c:$x2: IClientNetworkHost 0x41c90:$x2: IClientNetworkHost 0x4cc9f:$x2: IClientNetworkHost 0x58a91:$x2: IClientNetworkHost 0x6490f:$x2: IClientNetworkHost
7.2.dnshost.exe.2a944a0.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15dd7:$x2: NanoCore.ClientPlugin 0x1fd03:$x2: NanoCore.ClientPlugin 0x27c73:$x2: NanoCore.ClientPlugin 0x2dc62:$x2: NanoCore.ClientPlugin 0x377b9:$x2: NanoCore.ClientPlugin 0x41cf7:$x2: NanoCore.ClientPlugin 0x4cc5c:$x2: NanoCore.ClientPlugin 0x58a4e:$x2: NanoCore.ClientPlugin 0x648ad:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d5b:$x3: NanoCore.ClientPluginHost 0x1fc87:$x3: NanoCore.ClientPluginHost 0x27bf9:$x3: NanoCore.ClientPluginHost 0x2dc18:$x3: NanoCore.ClientPluginHost 0x376cf:$x3: NanoCore.ClientPluginHost 0x41c57:$x3: NanoCore.ClientPluginHost 0x4cc85:$x3: NanoCore.ClientPluginHost 0x58a77:$x3: NanoCore.ClientPluginHost 0x648d2:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
0.0.NYQbqD59m8.exe.d80000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.NYQbqD59m8.exe.d80000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.0.NYQbqD59m8.exe.d80000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.0.NYQbqD59m8.exe.d80000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.NYQbqD59m8.exe.d80000.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
0.0.NYQbqD59m8.exe.d80000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x9bff:$a1: NanoCore.ClientPluginHost 0x19ebd:$a1: NanoCore.ClientPluginHost 0x27073:$a1: NanoCore.ClientPluginHost 0x30f9f:$a1: NanoCore.ClientPluginHost 0x38f11:$a1: NanoCore.ClientPluginHost 0x3ef30:$a1: NanoCore.ClientPluginHost 0x489e7:$a1: NanoCore.ClientPluginHost 0x52f6f:$a1: NanoCore.ClientPluginHost 0x5df9d:$a1: NanoCore.ClientPluginHost 0x69d8f:$a1: NanoCore.ClientPluginHost 0x75bea:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x9bda:$a2: NanoCore.ClientPlugin 0x19e97:$a2: NanoCore.ClientPlugin 0x270ef:$a2: NanoCore.ClientPlugin 0x3101b:$a2: NanoCore.ClientPlugin 0x38f8b:$a2: NanoCore.ClientPlugin 0x3ef7a:$a2: NanoCore.ClientPlugin 0x48ad1:$a2: NanoCore.ClientPlugin 0x5300f:$a2: NanoCore.ClientPlugin
6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x9bda:$a: NanoCore 0x9bff:$a: NanoCore 0x9c58:$a: NanoCore 0x19e97:$a: NanoCore 0x19ebd:$a: NanoCore 0x19f19:$a: NanoCore 0x26dbb:$a: NanoCore 0x26e14:$a: NanoCore 0x26e47:$a: NanoCore 0x27073:$a: NanoCore 0x270ef:$a: NanoCore 0x27708:$a: NanoCore 0x27851:$a: NanoCore 0x27d25:$a: NanoCore 0x2800c:$a: NanoCore 0x28023:$a: NanoCore 0x30f9f:$a: NanoCore
6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x9bff:$x1: NanoCore.ClientPluginHost 0x19ebd:$x1: NanoCore.ClientPluginHost 0x27073:$x1: NanoCore.ClientPluginHost 0x30f9f:$x1: NanoCore.ClientPluginHost 0x38f11:$x1: NanoCore.ClientPluginHost 0x3ef30:$x1: NanoCore.ClientPluginHost 0x489e7:$x1: NanoCore.ClientPluginHost 0x52f6f:$x1: NanoCore.ClientPluginHost 0x5df9d:$x1: NanoCore.ClientPluginHost 0x69d8f:$x1: NanoCore.ClientPluginHost 0x75bea:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9c29:$x2: IClientNetworkHost 0x19eea:$x2: IClientNetworkHost 0x270ac:$x2: IClientNetworkHost 0x30fd8:$x2: IClientNetworkHost 0x38f4a:$x2: IClientNetworkHost 0x48b44:$x2: IClientNetworkHost 0x52fa8:$x2: IClientNetworkHost 0x5dfb7:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x9bda:$x2: NanoCore.ClientPlugin 0x19e97:$x2: NanoCore.ClientPlugin 0x270ef:$x2: NanoCore.ClientPlugin 0x3101b:$x2: NanoCore.ClientPlugin 0x38f8b:$x2: NanoCore.ClientPlugin 0x3ef7a:$x2: NanoCore.ClientPlugin 0x48ad1:$x2: NanoCore.ClientPlugin 0x5300f:$x2: NanoCore.ClientPlugin 0x5df74:$x2: NanoCore.ClientPlugin 0x69d66:$x2: NanoCore.ClientPlugin 0x75bc5:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x9bff:$x3: NanoCore.ClientPluginHost 0x19ebd:$x3: NanoCore.ClientPluginHost 0x27073:$x3: NanoCore.ClientPluginHost 0x30f9f:$x3: NanoCore.ClientPluginHost 0x38f11:$x3: NanoCore.ClientPluginHost 0x3ef30:$x3: NanoCore.ClientPluginHost 0x489e7:$x3: NanoCore.ClientPluginHost 0x52f6f:$x3: NanoCore.ClientPluginHost
7.2.dnshost.exe.2a881cc.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14e79:$a1: NanoCore.ClientPluginHost 0x2202f:$a1: NanoCore.ClientPluginHost 0x2bf5b:$a1: NanoCore.ClientPluginHost 0x33ecd:$a1: NanoCore.ClientPluginHost 0x39eec:$a1: NanoCore.ClientPluginHost 0x439a3:$a1: NanoCore.ClientPluginHost 0x4df2b:$a1: NanoCore.ClientPluginHost 0x58f59:$a1: NanoCore.ClientPluginHost 0x64d4b:$a1: NanoCore.ClientPluginHost 0x70ba6:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14e53:$a2: NanoCore.ClientPlugin 0x220ab:$a2: NanoCore.ClientPlugin 0x2bfd7:$a2: NanoCore.ClientPlugin 0x33f47:$a2: NanoCore.ClientPlugin 0x39f36:$a2: NanoCore.ClientPlugin 0x43a8d:$a2: NanoCore.ClientPlugin 0x4dfcb:$a2: NanoCore.ClientPlugin 0x58f30:$a2: NanoCore.ClientPlugin 0x64d22:$a2: NanoCore.ClientPlugin
7.2.dnshost.exe.2a881cc.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e53:$a: NanoCore 0x14e79:$a: NanoCore 0x14ed5:$a: NanoCore 0x21d77:$a: NanoCore 0x21dd0:$a: NanoCore 0x21e03:$a: NanoCore 0x2202f:$a: NanoCore 0x220ab:$a: NanoCore 0x226c4:$a: NanoCore 0x2280d:$a: NanoCore 0x22ce1:$a: NanoCore 0x22fc8:$a: NanoCore 0x22fdf:$a: NanoCore 0x2bf5b:$a: NanoCore 0x2bfd7:$a: NanoCore 0x2e8ba:$a: NanoCore 0x33ecd:$a: NanoCore 0x33f47:$a: NanoCore
7.2.dnshost.exe.2a881cc.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e79:$x1: NanoCore.ClientPluginHost 0x2202f:$x1: NanoCore.ClientPluginHost 0x2bf5b:$x1: NanoCore.ClientPluginHost 0x33ecd:$x1: NanoCore.ClientPluginHost 0x39eec:$x1: NanoCore.ClientPluginHost 0x439a3:$x1: NanoCore.ClientPluginHost 0x4df2b:$x1: NanoCore.ClientPluginHost 0x58f59:$x1: NanoCore.ClientPluginHost 0x64d4b:$x1: NanoCore.ClientPluginHost 0x70ba6:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14ea6:$x2: IClientNetworkHost 0x22068:$x2: IClientNetworkHost 0x2bf94:$x2: IClientNetworkHost 0x33f06:$x2: IClientNetworkHost 0x43b00:$x2: IClientNetworkHost 0x4df64:$x2: IClientNetworkHost 0x58f73:$x2: IClientNetworkHost 0x64d65:$x2: IClientNetworkHost 0x70be3:$x2: IClientNetworkHost
7.2.dnshost.exe.2a881cc.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14e53:$x2: NanoCore.ClientPlugin 0x220ab:$x2: NanoCore.ClientPlugin 0x2bfd7:$x2: NanoCore.ClientPlugin 0x33f47:$x2: NanoCore.ClientPlugin 0x39f36:$x2: NanoCore.ClientPlugin 0x43a8d:$x2: NanoCore.ClientPlugin 0x4dfcb:$x2: NanoCore.ClientPlugin 0x58f30:$x2: NanoCore.ClientPlugin 0x64d22:$x2: NanoCore.ClientPlugin 0x70b81:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14e79:$x3: NanoCore.ClientPluginHost 0x2202f:$x3: NanoCore.ClientPluginHost 0x2bf5b:$x3: NanoCore.ClientPluginHost 0x33ecd:$x3: NanoCore.ClientPluginHost 0x39eec:$x3: NanoCore.ClientPluginHost 0x439a3:$x3: NanoCore.ClientPluginHost 0x4df2b:$x3: NanoCore.ClientPluginHost 0x58f59:$x3: NanoCore.ClientPluginHost 0x64d4b:$x3: NanoCore.ClientPluginHost
7.2.dnshost.exe.2a83188.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x9bff:$a1: NanoCore.ClientPluginHost 0x19ebd:$a1: NanoCore.ClientPluginHost 0x27073:$a1: NanoCore.ClientPluginHost 0x30f9f:$a1: NanoCore.ClientPluginHost 0x38f11:$a1: NanoCore.ClientPluginHost 0x3ef30:$a1: NanoCore.ClientPluginHost 0x489e7:$a1: NanoCore.ClientPluginHost 0x52f6f:$a1: NanoCore.ClientPluginHost 0x5df9d:$a1: NanoCore.ClientPluginHost 0x69d8f:$a1: NanoCore.ClientPluginHost 0x75bea:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x9bda:$a2: NanoCore.ClientPlugin 0x19e97:$a2: NanoCore.ClientPlugin 0x270ef:$a2: NanoCore.ClientPlugin 0x3101b:$a2: NanoCore.ClientPlugin 0x38f8b:$a2: NanoCore.ClientPlugin 0x3ef7a:$a2: NanoCore.ClientPlugin 0x48ad1:$a2: NanoCore.ClientPlugin 0x5300f:$a2: NanoCore.ClientPlugin
7.2.dnshost.exe.2a83188.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x9bda:$a: NanoCore 0x9bff:$a: NanoCore 0x9c58:$a: NanoCore 0x19e97:$a: NanoCore 0x19ebd:$a: NanoCore 0x19f19:$a: NanoCore 0x26dbb:$a: NanoCore 0x26e14:$a: NanoCore 0x26e47:$a: NanoCore 0x27073:$a: NanoCore 0x270ef:$a: NanoCore 0x27708:$a: NanoCore 0x27851:$a: NanoCore 0x27d25:$a: NanoCore 0x2800c:$a: NanoCore 0x28023:$a: NanoCore 0x30f9f:$a: NanoCore
7.2.dnshost.exe.2a83188.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x9bff:$x1: NanoCore.ClientPluginHost 0x19ebd:$x1: NanoCore.ClientPluginHost 0x27073:$x1: NanoCore.ClientPluginHost 0x30f9f:$x1: NanoCore.ClientPluginHost 0x38f11:$x1: NanoCore.ClientPluginHost 0x3ef30:$x1: NanoCore.ClientPluginHost 0x489e7:$x1: NanoCore.ClientPluginHost 0x52f6f:$x1: NanoCore.ClientPluginHost 0x5df9d:$x1: NanoCore.ClientPluginHost 0x69d8f:$x1: NanoCore.ClientPluginHost 0x75bea:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9c29:$x2: IClientNetworkHost 0x19eea:$x2: IClientNetworkHost 0x270ac:$x2: IClientNetworkHost 0x30fd8:$x2: IClientNetworkHost 0x38f4a:$x2: IClientNetworkHost 0x48b44:$x2: IClientNetworkHost 0x52fa8:$x2: IClientNetworkHost 0x5dfb7:$x2: IClientNetworkHost
7.2.dnshost.exe.2a83188.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x9bda:$x2: NanoCore.ClientPlugin 0x19e97:$x2: NanoCore.ClientPlugin 0x270ef:$x2: NanoCore.ClientPlugin 0x3101b:$x2: NanoCore.ClientPlugin 0x38f8b:$x2: NanoCore.ClientPlugin 0x3ef7a:$x2: NanoCore.ClientPlugin 0x48ad1:$x2: NanoCore.ClientPlugin 0x5300f:$x2: NanoCore.ClientPlugin 0x5df74:$x2: NanoCore.ClientPlugin 0x69d66:$x2: NanoCore.ClientPlugin 0x75bc5:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x9bff:$x3: NanoCore.ClientPluginHost 0x19ebd:$x3: NanoCore.ClientPluginHost 0x27073:$x3: NanoCore.ClientPluginHost 0x30f9f:$x3: NanoCore.ClientPluginHost 0x38f11:$x3: NanoCore.ClientPluginHost 0x3ef30:$x3: NanoCore.ClientPluginHost 0x489e7:$x3: NanoCore.ClientPluginHost 0x52f6f:$x3: NanoCore.ClientPluginHost
6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14dd7:$a1: NanoCore.ClientPluginHost 0x21f40:$a1: NanoCore.ClientPluginHost 0x2bd92:$a1: NanoCore.ClientPluginHost 0x33cb8:$a1: NanoCore.ClientPluginHost 0x39c89:$a1: NanoCore.ClientPluginHost 0x436f5:$a1: NanoCore.ClientPluginHost 0x4db20:$a1: NanoCore.ClientPluginHost 0x58afd:$a1: NanoCore.ClientPluginHost 0x6489f:$a1: NanoCore.ClientPluginHost 0x79d77:$a1: NanoCore.ClientPluginHost 0xa1fd9:$a1: NanoCore.ClientPluginHost 0xb1419:$a1: NanoCore.ClientPluginHost 0xc97a3:$a1: NanoCore.ClientPluginHost 0xf19f1:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14db1:$a2: NanoCore.ClientPlugin 0x21fbc:$a2: NanoCore.ClientPlugin 0x2be0e:$a2: NanoCore.ClientPlugin 0x33d32:$a2: NanoCore.ClientPlugin 0x39cd3:$a2: NanoCore.ClientPlugin
6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2bd92:$a: NanoCore 0x2be0e:$a: NanoCore 0x2e6f1:$a: NanoCore 0x33cb8:$a: NanoCore 0x33d32:$a: NanoCore
6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db1:$x2: NanoCore.ClientPlugin 0x21fbc:$x2: NanoCore.ClientPlugin 0x2be0e:$x2: NanoCore.ClientPlugin 0x33d32:$x2: NanoCore.ClientPlugin 0x39cd3:$x2: NanoCore.ClientPlugin 0x437df:$x2: NanoCore.ClientPlugin 0x4dbc0:$x2: NanoCore.ClientPlugin 0x58ad4:$x2: NanoCore.ClientPlugin 0x64876:$x2: NanoCore.ClientPlugin 0x79d42:$x2: NanoCore.ClientPlugin 0xa1fb0:$x2: NanoCore.ClientPlugin 0xb13f4:$x2: NanoCore.ClientPlugin 0xc976e:$x2: NanoCore.ClientPlugin 0xf19c8:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14dd7:$x3: NanoCore.ClientPluginHost 0x21f40:$x3: NanoCore.ClientPluginHost 0x2bd92:$x3: NanoCore.ClientPluginHost 0x33cb8:$x3: NanoCore.ClientPluginHost 0x39c89:$x3: NanoCore.ClientPluginHost
6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14e79:$a1: NanoCore.ClientPluginHost 0x2202f:$a1: NanoCore.ClientPluginHost 0x2bf5b:$a1: NanoCore.ClientPluginHost 0x33ecd:$a1: NanoCore.ClientPluginHost 0x39eec:$a1: NanoCore.ClientPluginHost 0x439a3:$a1: NanoCore.ClientPluginHost 0x4df2b:$a1: NanoCore.ClientPluginHost 0x58f59:$a1: NanoCore.ClientPluginHost 0x64d4b:$a1: NanoCore.ClientPluginHost 0x70ba6:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14e53:$a2: NanoCore.ClientPlugin 0x220ab:$a2: NanoCore.ClientPlugin 0x2bfd7:$a2: NanoCore.ClientPlugin 0x33f47:$a2: NanoCore.ClientPlugin 0x39f36:$a2: NanoCore.ClientPlugin 0x43a8d:$a2: NanoCore.ClientPlugin 0x4dfcb:$a2: NanoCore.ClientPlugin 0x58f30:$a2: NanoCore.ClientPlugin 0x64d22:$a2: NanoCore.ClientPlugin
6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e53:$a: NanoCore 0x14e79:$a: NanoCore 0x14ed5:$a: NanoCore 0x21d77:$a: NanoCore 0x21dd0:$a: NanoCore 0x21e03:$a: NanoCore 0x2202f:$a: NanoCore 0x220ab:$a: NanoCore 0x226c4:$a: NanoCore 0x2280d:$a: NanoCore 0x22ce1:$a: NanoCore 0x22fc8:$a: NanoCore 0x22fdf:$a: NanoCore 0x2bf5b:$a: NanoCore 0x2bfd7:$a: NanoCore 0x2e8ba:$a: NanoCore 0x33ecd:$a: NanoCore 0x33f47:$a: NanoCore
6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e79:$x1: NanoCore.ClientPluginHost 0x2202f:$x1: NanoCore.ClientPluginHost 0x2bf5b:$x1: NanoCore.ClientPluginHost 0x33ecd:$x1: NanoCore.ClientPluginHost 0x39eec:$x1: NanoCore.ClientPluginHost 0x439a3:$x1: NanoCore.ClientPluginHost 0x4df2b:$x1: NanoCore.ClientPluginHost 0x58f59:$x1: NanoCore.ClientPluginHost 0x64d4b:$x1: NanoCore.ClientPluginHost 0x70ba6:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14ea6:$x2: IClientNetworkHost 0x22068:$x2: IClientNetworkHost 0x2bf94:$x2: IClientNetworkHost 0x33f06:$x2: IClientNetworkHost 0x43b00:$x2: IClientNetworkHost 0x4df64:$x2: IClientNetworkHost 0x58f73:$x2: IClientNetworkHost 0x64d65:$x2: IClientNetworkHost 0x70be3:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14e53:$x2: NanoCore.ClientPlugin 0x220ab:$x2: NanoCore.ClientPlugin 0x2bfd7:$x2: NanoCore.ClientPlugin 0x33f47:$x2: NanoCore.ClientPlugin 0x39f36:$x2: NanoCore.ClientPlugin 0x43a8d:$x2: NanoCore.ClientPlugin 0x4dfcb:$x2: NanoCore.ClientPlugin 0x58f30:$x2: NanoCore.ClientPlugin 0x64d22:$x2: NanoCore.ClientPlugin 0x70b81:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14e79:$x3: NanoCore.ClientPluginHost 0x2202f:$x3: NanoCore.ClientPluginHost 0x2bf5b:$x3: NanoCore.ClientPluginHost 0x33ecd:$x3: NanoCore.ClientPluginHost 0x39eec:$x3: NanoCore.ClientPluginHost 0x439a3:$x3: NanoCore.ClientPluginHost 0x4df2b:$x3: NanoCore.ClientPluginHost 0x58f59:$x3: NanoCore.ClientPluginHost 0x64d4b:$x3: NanoCore.ClientPluginHost
6.2.NYQbqD59m8.exe.4095624.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.NYQbqD59m8.exe.4095624.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d0e:$a1: NanoCore.ClientPluginHost 0x1fb60:$a1: NanoCore.ClientPluginHost 0x27a86:$a1: NanoCore.ClientPluginHost 0x2da57:$a1: NanoCore.ClientPluginHost 0x374c3:$a1: NanoCore.ClientPluginHost 0x418ee:$a1: NanoCore.ClientPluginHost 0x4c8cb:$a1: NanoCore.ClientPluginHost 0x5866d:$a1: NanoCore.ClientPluginHost 0x6db45:$a1: NanoCore.ClientPluginHost 0x95da7:$a1: NanoCore.ClientPluginHost 0xa51e7:$a1: NanoCore.ClientPluginHost 0xbd571:$a1: NanoCore.ClientPluginHost 0xe57bf:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d8a:$a2: NanoCore.ClientPlugin 0x1fbdc:$a2: NanoCore.ClientPlugin 0x27b00:$a2: NanoCore.ClientPlugin 0x2daa1:$a2: NanoCore.ClientPlugin 0x375ad:$a2: NanoCore.ClientPlugin 0x4198e:$a2: NanoCore.ClientPlugin
6.2.NYQbqD59m8.exe.4095624.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1fb60:$a: NanoCore 0x1fbdc:$a: NanoCore 0x224bf:$a: NanoCore 0x27a86:$a: NanoCore 0x27b00:$a: NanoCore 0x2c69d:$a: NanoCore 0x2da57:$a: NanoCore 0x2daa1:$a: NanoCore
6.2.NYQbqD59m8.exe.4095624.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1fb60:$x1: NanoCore.ClientPluginHost 0x27a86:$x1: NanoCore.ClientPluginHost 0x2da57:$x1: NanoCore.ClientPluginHost 0x374c3:$x1: NanoCore.ClientPluginHost 0x418ee:$x1: NanoCore.ClientPluginHost 0x4c8cb:$x1: NanoCore.ClientPluginHost 0x5866d:$x1: NanoCore.ClientPluginHost 0x6db45:$x1: NanoCore.ClientPluginHost 0x95da7:$x1: NanoCore.ClientPluginHost 0xa51e7:$x1: NanoCore.ClientPluginHost 0xbd571:$x1: NanoCore.ClientPluginHost 0xe57bf:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1fb99:$x2: IClientNetworkHost 0x27abf:$x2: IClientNetworkHost 0x37620:$x2: IClientNetworkHost 0x41927:$x2: IClientNetworkHost 0x4c8e5:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.4095624.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8a:$x2: NanoCore.ClientPlugin 0x1fbdc:$x2: NanoCore.ClientPlugin 0x27b00:$x2: NanoCore.ClientPlugin 0x2daa1:$x2: NanoCore.ClientPlugin 0x375ad:$x2: NanoCore.ClientPlugin 0x4198e:$x2: NanoCore.ClientPlugin 0x4c8a2:$x2: NanoCore.ClientPlugin 0x58644:$x2: NanoCore.ClientPlugin 0x6db10:$x2: NanoCore.ClientPlugin 0x95d7e:$x2: NanoCore.ClientPlugin 0xa51c2:$x2: NanoCore.ClientPlugin 0xbd53c:$x2: NanoCore.ClientPlugin 0xe5796:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d0e:$x3: NanoCore.ClientPluginHost 0x1fb60:$x3: NanoCore.ClientPluginHost 0x27a86:$x3: NanoCore.ClientPluginHost 0x2da57:$x3: NanoCore.ClientPluginHost 0x374c3:$x3: NanoCore.ClientPluginHost 0x418ee:$x3: NanoCore.ClientPluginHost
0.2.NYQbqD59m8.exe.353a424.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d17:$a1: NanoCore.ClientPluginHost 0x1fb6f:$a1: NanoCore.ClientPluginHost 0x27a9d:$a1: NanoCore.ClientPluginHost 0x2da78:$a1: NanoCore.ClientPluginHost 0x374eb:$a1: NanoCore.ClientPluginHost 0x4191f:$a1: NanoCore.ClientPluginHost 0x4c909:$a1: NanoCore.ClientPluginHost 0x586b7:$a1: NanoCore.ClientPluginHost 0x64446:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d93:$a2: NanoCore.ClientPlugin 0x1fbeb:$a2: NanoCore.ClientPlugin 0x27b17:$a2: NanoCore.ClientPlugin 0x2dac2:$a2: NanoCore.ClientPlugin 0x375d5:$a2: NanoCore.ClientPlugin 0x419bf:$a2: NanoCore.ClientPlugin 0x4c8e0:$a2: NanoCore.ClientPlugin 0x5868e:$a2: NanoCore.ClientPlugin 0x64421:$a2: NanoCore.ClientPlugin 0x64437:$b4: IClientAppHost
6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.NYQbqD59m8.exe.353a424.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1fb6f:$a: NanoCore 0x1fbeb:$a: NanoCore 0x224ce:$a: NanoCore 0x27a9d:$a: NanoCore 0x27b17:$a: NanoCore 0x2da78:$a: NanoCore 0x2dac2:$a: NanoCore 0x2e71c:$a: NanoCore
0.2.NYQbqD59m8.exe.353a424.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1fb6f:$x1: NanoCore.ClientPluginHost 0x27a9d:$x1: NanoCore.ClientPluginHost 0x2da78:$x1: NanoCore.ClientPluginHost 0x374eb:$x1: NanoCore.ClientPluginHost 0x4191f:$x1: NanoCore.ClientPluginHost 0x4c909:$x1: NanoCore.ClientPluginHost 0x586b7:$x1: NanoCore.ClientPluginHost 0x64446:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1fba8:$x2: IClientNetworkHost 0x27ad6:$x2: IClientNetworkHost 0x37648:$x2: IClientNetworkHost 0x41958:$x2: IClientNetworkHost 0x4c923:$x2: IClientNetworkHost 0x586d1:$x2: IClientNetworkHost 0x64483:$x2: IClientNetworkHost
6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x99e7:$a1: NanoCore.ClientPluginHost 0x19c03:$a1: NanoCore.ClientPluginHost 0x26d6c:$a1: NanoCore.ClientPluginHost 0x30bbe:$a1: NanoCore.ClientPluginHost 0x38ae4:$a1: NanoCore.ClientPluginHost 0x3eab5:$a1: NanoCore.ClientPluginHost 0x48521:$a1: NanoCore.ClientPluginHost 0x5294c:$a1: NanoCore.ClientPluginHost 0x5d929:$a1: NanoCore.ClientPluginHost 0x696cb:$a1: NanoCore.ClientPluginHost 0x7eba3:$a1: NanoCore.ClientPluginHost 0xa6e05:$a1: NanoCore.ClientPluginHost 0xb6245:$a1: NanoCore.ClientPluginHost 0xce5cf:$a1: NanoCore.ClientPluginHost 0xf681d:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x99c2:$a2: NanoCore.ClientPlugin 0x19bdd:$a2: NanoCore.ClientPlugin 0x26de8:$a2: NanoCore.ClientPlugin 0x30c3a:$a2: NanoCore.ClientPlugin
0.2.NYQbqD59m8.exe.353a424.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d93:$x2: NanoCore.ClientPlugin 0x1fbeb:$x2: NanoCore.ClientPlugin 0x27b17:$x2: NanoCore.ClientPlugin 0x2dac2:$x2: NanoCore.ClientPlugin 0x375d5:$x2: NanoCore.ClientPlugin 0x419bf:$x2: NanoCore.ClientPlugin 0x4c8e0:$x2: NanoCore.ClientPlugin 0x5868e:$x2: NanoCore.ClientPlugin 0x64421:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d17:$x3: NanoCore.ClientPluginHost 0x1fb6f:$x3: NanoCore.ClientPluginHost 0x27a9d:$x3: NanoCore.ClientPluginHost 0x2da78:$x3: NanoCore.ClientPluginHost 0x374eb:$x3: NanoCore.ClientPluginHost 0x4191f:$x3: NanoCore.ClientPluginHost 0x4c909:$x3: NanoCore.ClientPluginHost 0x586b7:$x3: NanoCore.ClientPluginHost 0x64446:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99c2:$a: NanoCore 0x99e7:$a: NanoCore 0x9a40:$a: NanoCore 0x19bdd:$a: NanoCore 0x19c03:$a: NanoCore 0x19c5f:$a: NanoCore 0x26ab4:$a: NanoCore 0x26b0d:$a: NanoCore 0x26b40:$a: NanoCore 0x26d6c:$a: NanoCore 0x26de8:$a: NanoCore 0x27401:$a: NanoCore 0x2754a:$a: NanoCore 0x27a1e:$a: NanoCore 0x27d05:$a: NanoCore 0x27d1c:$a: NanoCore 0x30bbe:$a: NanoCore
6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x99c2:$x2: NanoCore.ClientPlugin 0x19bdd:$x2: NanoCore.ClientPlugin 0x26de8:$x2: NanoCore.ClientPlugin 0x30c3a:$x2: NanoCore.ClientPlugin 0x38b5e:$x2: NanoCore.ClientPlugin 0x3eaff:$x2: NanoCore.ClientPlugin 0x4860b:$x2: NanoCore.ClientPlugin 0x529ec:$x2: NanoCore.ClientPlugin 0x5d900:$x2: NanoCore.ClientPlugin 0x696a2:$x2: NanoCore.ClientPlugin 0x7eb6e:$x2: NanoCore.ClientPlugin 0xa6ddc:$x2: NanoCore.ClientPlugin 0xb6220:$x2: NanoCore.ClientPlugin 0xce59a:$x2: NanoCore.ClientPlugin 0xf67f4:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x99e7:$x3: NanoCore.ClientPluginHost 0x19c03:$x3: NanoCore.ClientPluginHost 0x26d6c:$x3: NanoCore.ClientPluginHost 0x30bbe:$x3: NanoCore.ClientPluginHost
0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x99ef:$a1: NanoCore.ClientPluginHost 0x19c19:$a1: NanoCore.ClientPluginHost 0x26d8b:$a1: NanoCore.ClientPluginHost 0x30be3:$a1: NanoCore.ClientPluginHost 0x38b11:$a1: NanoCore.ClientPluginHost 0x3eaec:$a1: NanoCore.ClientPluginHost 0x4855f:$a1: NanoCore.ClientPluginHost 0x52993:$a1: NanoCore.ClientPluginHost 0x5d97d:$a1: NanoCore.ClientPluginHost 0x6972b:$a1: NanoCore.ClientPluginHost 0x754ba:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x99ca:$a2: NanoCore.ClientPlugin 0x19bf3:$a2: NanoCore.ClientPlugin 0x26e07:$a2: NanoCore.ClientPlugin 0x30c5f:$a2: NanoCore.ClientPlugin 0x38b8b:$a2: NanoCore.ClientPlugin 0x3eb36:$a2: NanoCore.ClientPlugin 0x48649:$a2: NanoCore.ClientPlugin 0x52a33:$a2: NanoCore.ClientPlugin
0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99ca:$a: NanoCore 0x99ef:$a: NanoCore 0x9a48:$a: NanoCore 0x19bf3:$a: NanoCore 0x19c19:$a: NanoCore 0x19c75:$a: NanoCore 0x26ad3:$a: NanoCore 0x26b2c:$a: NanoCore 0x26b5f:$a: NanoCore 0x26d8b:$a: NanoCore 0x26e07:$a: NanoCore 0x27420:$a: NanoCore 0x27569:$a: NanoCore 0x27a3d:$a: NanoCore 0x27d24:$a: NanoCore 0x27d3b:$a: NanoCore 0x30be3:$a: NanoCore
0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x99ef:$x1: NanoCore.ClientPluginHost 0x19c19:$x1: NanoCore.ClientPluginHost 0x26d8b:$x1: NanoCore.ClientPluginHost 0x30be3:$x1: NanoCore.ClientPluginHost 0x38b11:$x1: NanoCore.ClientPluginHost 0x3eaec:$x1: NanoCore.ClientPluginHost 0x4855f:$x1: NanoCore.ClientPluginHost 0x52993:$x1: NanoCore.ClientPluginHost 0x5d97d:$x1: NanoCore.ClientPluginHost 0x6972b:$x1: NanoCore.ClientPluginHost 0x754ba:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9a19:$x2: IClientNetworkHost 0x19c46:$x2: IClientNetworkHost 0x26dc4:$x2: IClientNetworkHost 0x30c1c:$x2: IClientNetworkHost 0x38b4a:$x2: IClientNetworkHost 0x486bc:$x2: IClientNetworkHost 0x529cc:$x2: IClientNetworkHost 0x5d997:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x99ca:$x2: NanoCore.ClientPlugin 0x19bf3:$x2: NanoCore.ClientPlugin 0x26e07:$x2: NanoCore.ClientPlugin 0x30c5f:$x2: NanoCore.ClientPlugin 0x38b8b:$x2: NanoCore.ClientPlugin 0x3eb36:$x2: NanoCore.ClientPlugin 0x48649:$x2: NanoCore.ClientPlugin 0x52a33:$x2: NanoCore.ClientPlugin 0x5d954:$x2: NanoCore.ClientPlugin 0x69702:$x2: NanoCore.ClientPlugin 0x75495:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x99ef:$x3: NanoCore.ClientPluginHost 0x19c19:$x3: NanoCore.ClientPluginHost 0x26d8b:$x3: NanoCore.ClientPluginHost 0x30be3:$x3: NanoCore.ClientPluginHost 0x38b11:$x3: NanoCore.ClientPluginHost 0x3eaec:$x3: NanoCore.ClientPluginHost 0x4855f:$x3: NanoCore.ClientPluginHost 0x52993:$x3: NanoCore.ClientPluginHost
0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14de5:$a1: NanoCore.ClientPluginHost 0x21f57:$a1: NanoCore.ClientPluginHost 0x2bdaf:$a1: NanoCore.ClientPluginHost 0x33cdd:$a1: NanoCore.ClientPluginHost 0x39cb8:$a1: NanoCore.ClientPluginHost 0x4372b:$a1: NanoCore.ClientPluginHost 0x4db5f:$a1: NanoCore.ClientPluginHost 0x58b49:$a1: NanoCore.ClientPluginHost 0x648f7:$a1: NanoCore.ClientPluginHost 0x70686:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14dbf:$a2: NanoCore.ClientPlugin 0x21fd3:$a2: NanoCore.ClientPlugin 0x2be2b:$a2: NanoCore.ClientPlugin 0x33d57:$a2: NanoCore.ClientPlugin 0x39d02:$a2: NanoCore.ClientPlugin 0x43815:$a2: NanoCore.ClientPlugin 0x4dbff:$a2: NanoCore.ClientPlugin 0x58b20:$a2: NanoCore.ClientPlugin 0x648ce:$a2: NanoCore.ClientPlugin
0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x2bdaf:$a: NanoCore 0x2be2b:$a: NanoCore 0x2e70e:$a: NanoCore 0x33cdd:$a: NanoCore 0x33d57:$a: NanoCore
0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x2bdaf:$x1: NanoCore.ClientPluginHost 0x33cdd:$x1: NanoCore.ClientPluginHost 0x39cb8:$x1: NanoCore.ClientPluginHost 0x4372b:$x1: NanoCore.ClientPluginHost 0x4db5f:$x1: NanoCore.ClientPluginHost 0x58b49:$x1: NanoCore.ClientPluginHost 0x648f7:$x1: NanoCore.ClientPluginHost 0x70686:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x2bde8:$x2: IClientNetworkHost 0x33d16:$x2: IClientNetworkHost 0x43888:$x2: IClientNetworkHost 0x4db98:$x2: IClientNetworkHost 0x58b63:$x2: IClientNetworkHost 0x64911:$x2: IClientNetworkHost 0x706c3:$x2: IClientNetworkHost
0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14dbf:$x2: NanoCore.ClientPlugin 0x21fd3:$x2: NanoCore.ClientPlugin 0x2be2b:$x2: NanoCore.ClientPlugin 0x33d57:$x2: NanoCore.ClientPlugin 0x39d02:$x2: NanoCore.ClientPlugin 0x43815:$x2: NanoCore.ClientPlugin 0x4dbff:$x2: NanoCore.ClientPlugin 0x58b20:$x2: NanoCore.ClientPlugin 0x648ce:$x2: NanoCore.ClientPlugin 0x70661:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14de5:$x3: NanoCore.ClientPluginHost 0x21f57:$x3: NanoCore.ClientPluginHost 0x2bdaf:$x3: NanoCore.ClientPluginHost 0x33cdd:$x3: NanoCore.ClientPluginHost 0x39cb8:$x3: NanoCore.ClientPluginHost 0x4372b:$x3: NanoCore.ClientPluginHost 0x4db5f:$x3: NanoCore.ClientPluginHost 0x58b49:$x3: NanoCore.ClientPluginHost 0x648f7:$x3: NanoCore.ClientPluginHost
Click to see the 163 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NYQbqD59m8.exe, ProcessId: 1708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NYQbqD59m8.exe, ProcessId: 1708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

System Summary

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\NYQbqD59m8.exe", ParentImage: C:\Users\user\Desktop\NYQbqD59m8.exe, ParentProcessId: 1708, ParentProcessName: NYQbqD59m8.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp", ProcessId: 1288, ProcessName: schtasks.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DNS Host\dnshost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\NYQbqD59m8.exe, ProcessId: 1708, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Host

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\NYQbqD59m8.exe", ParentImage: C:\Users\user\Desktop\NYQbqD59m8.exe, ParentProcessId: 1708, ParentProcessName: NYQbqD59m8.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp", ProcessId: 1288, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NYQbqD59m8.exe, ProcessId: 1708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NYQbqD59m8.exe, ProcessId: 1708, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:33.858566+0200
SID:	2822326
Source Port:	49718
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:03.960456+0200
SID:	2025019
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:20.108576+0200
SID:	2822326
Source Port:	49714
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:32:00.064900+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:32:00.629397+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:44.983281+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.66.38.117

Timestamp:	2024-07-31T18:33:32.592610+0200
SID:	2822326
Source Port:	49731
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:14.686380+0200
SID:	2822326
Source Port:	49727
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:59.030067+0200
SID:	2822326
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:04.030336+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:31:59.936690+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:59.061415+0200
SID:	2822326
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:10.139466+0200
SID:	2822326
Source Port:	49706
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:15.518469+0200
SID:	2822326
Source Port:	49707
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:05.030315+0200
SID:	2822326
Source Port:	49705
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:31:59.605396+0200
SID:	2025019
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:44.921054+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:49.412071+0200
SID:	2822326
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:29.155382+0200
SID:	2822326
Source Port:	49717
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:49.358340+0200
SID:	2822326
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:05.358527+0200
SID:	2822326
Source Port:	49705
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:04.124264+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.66.38.117

Timestamp:	2024-07-31T18:33:32.576994+0200
SID:	2822326
Source Port:	49731
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.358690+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:44.811436+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:32:00.236247+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:03.973406+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:05.155242+0200
SID:	2822326
Source Port:	49705
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:23.353659+0200
SID:	2025019
Source Port:	49729
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:24.811553+0200
SID:	2822326
Source Port:	49716
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:49.873806+0200
SID:	2822326
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:32:00.545799+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.514506+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:40.116169+0200
SID:	2822326
Source Port:	49719
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:09.678369+0200
SID:	2025019
Source Port:	49706
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:49.234948+0200
SID:	2025019
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:50.025219+0200
SID:	2822326
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:33.983377+0200
SID:	2822326
Source Port:	49718
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:49.640953+0200
SID:	2822326
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:59.552305+0200
SID:	2822326
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.749012+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:04.155341+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:24.256398+0200
SID:	2025019
Source Port:	49716
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:08.579280+0200
SID:	2822326
Source Port:	49726
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:29.502705+0200
SID:	2822326
Source Port:	49717
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:04.280189+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:04.840198+0200
SID:	2025019
Source Port:	49705
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:44.531241+0200
SID:	2025019
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:09.702419+0200
SID:	2822326
Source Port:	49706
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:05.217781+0200
SID:	2822326
Source Port:	49705
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:39.472145+0200
SID:	2025019
Source Port:	49719
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:23.359296+0200
SID:	2822326
Source Port:	49729
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:34.517603+0200
SID:	2822326
Source Port:	49718
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:28.507703+0200
SID:	2025019
Source Port:	49730
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.545793+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:29.005256+0200
SID:	2025019
Source Port:	49717
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:45.155129+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:19.861224+0200
SID:	2822326
Source Port:	49714
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:49.264643+0200
SID:	2822326
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:04.905401+0200
SID:	2822326
Source Port:	49705
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.248965+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:04.186407+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:15.139641+0200
SID:	2822326
Source Port:	49707
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:58.986249+0200
SID:	2025019
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.66.38.117

Timestamp:	2024-07-31T18:33:19.001161+0200
SID:	2025019
Source Port:	49728
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:24.561536+0200
SID:	2822326
Source Port:	49716
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:15.202156+0200
SID:	2822326
Source Port:	49707
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:08.592590+0200
SID:	2822326
Source Port:	49726
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:15.327257+0200
SID:	2822326
Source Port:	49707
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:04.061455+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:10.431398+0200
SID:	2822326
Source Port:	49706
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.948120+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.66.38.117

Timestamp:	2024-07-31T18:33:32.557617+0200
SID:	2025019
Source Port:	49731
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:24.374022+0200
SID:	2822326
Source Port:	49716
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:14.807656+0200
SID:	2025019
Source Port:	49707
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.295947+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.66.38.117

Timestamp:	2024-07-31T18:33:19.014494+0200
SID:	2822326
Source Port:	49728
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.623878+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.670813+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:45.092860+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:31:59.873998+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:09.827185+0200
SID:	2822326
Source Port:	49706
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:33.733575+0200
SID:	2822326
Source Port:	49718
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.210370+0200
SID:	2025019
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:15.014655+0200
SID:	2822326
Source Port:	49707
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:44.702060+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:59.608401+0200
SID:	2822326
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:29.280442+0200
SID:	2822326
Source Port:	49717
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:34.108423+0200
SID:	2822326
Source Port:	49718
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:59.577128+0200
SID:	2822326
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:19.549017+0200
SID:	2025019
Source Port:	49714
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:59.295717+0200
SID:	2822326
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:24.686529+0200
SID:	2822326
Source Port:	49716
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:14.662778+0200
SID:	2822326
Source Port:	49727
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:31:59.627562+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:19.655362+0200
SID:	2822326
Source Port:	49714
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:44.545764+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:23.374094+0200
SID:	2822326
Source Port:	49729
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:39.624522+0200
SID:	2822326
Source Port:	49719
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:19.788107+0200
SID:	2822326
Source Port:	49714
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:19.983652+0200
SID:	2822326
Source Port:	49714
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:39.546137+0200
SID:	2822326
Source Port:	49719
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:04.217758+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.115.178

Timestamp:	2024-07-31T18:31:59.749064+0200
SID:	2822326
Source Port:	49704
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:14.889622+0200
SID:	2822326
Source Port:	49707
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:08.566610+0200
SID:	2025019
Source Port:	49726
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:14.671198+0200
SID:	2822326
Source Port:	49727
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:58.998826+0200
SID:	2822326
Source Port:	49724
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:34.326961+0200
SID:	2822326
Source Port:	49718
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:24.437110+0200
SID:	2822326
Source Port:	49716
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:33:03.998901+0200
SID:	2822326
Source Port:	49725
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:44.592679+0200
SID:	2822326
Source Port:	49720
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:33:14.652117+0200
SID:	2025019
Source Port:	49727
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:29.530213+0200
SID:	2822326
Source Port:	49717
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:29.092795+0200
SID:	2822326
Source Port:	49717
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 3.68.171.119

Timestamp:	2024-07-31T18:32:33.719027+0200
SID:	2025019
Source Port:	49718
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:39.936472+0200
SID:	2822326
Source Port:	49719
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 3.69.157.220

Timestamp:	2024-07-31T18:32:29.593032+0200
SID:	2822326
Source Port:	49717
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 18.197.239.109

Timestamp:	2024-07-31T18:32:49.502859+0200
SID:	2822326
Source Port:	49721
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.5 - Destination IP: 52.28.247.255

Timestamp:	2024-07-31T18:32:54.437748+0200
SID:	2822326
Source Port:	49722
Destination Port:	13201
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NYQbqD59m8.exe

Avira: detected

Antivirus detection for URL or domain

Source: 6.tcp.eu.ngrok.io

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Source: 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "3425541e-8f39-4854-8b6f-412dbeb4", "Group": "Default", "Domain1": "6.tcp.eu.ngrok.io", "Domain2": "", "Port": 13201, "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: NYQbqD59m8.exe

ReversingLabs: Detection: 97%

Yara detected Nanocore RAT

Source: Yara match	File source: NYQbqD59m8.exe, type: SAMPLE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: NYQbqD59m8.exe

Joe Sandbox ML: detected

Source: NYQbqD59m8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 4x nop then mov esp, ebp	0_2_018DB3E6
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_065644D0
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_065644C0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 6.tcp.eu.ngrok.io

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 3.69.115.178:13201
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 3.69.157.220:13201
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 18.197.239.109:13201
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 3.68.171.119:13201
Source: global traffic	TCP traffic: 192.168.2.5:49714 -> 52.28.247.255:13201
Source: global traffic	TCP traffic: 192.168.2.5:49728 -> 3.66.38.117:13201

Source: Joe Sandbox View	IP Address: 3.66.38.117 3.66.38.117
Source: Joe Sandbox View	IP Address: 52.28.247.255 52.28.247.255
Source: Joe Sandbox View	IP Address: 18.197.239.109 18.197.239.109
Source: Joe Sandbox View	IP Address: 3.69.115.178 3.69.115.178

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Code function: 0_2_0578351A WSARecv,

0_2_0578351A

Source: global traffic

DNS traffic detected: DNS query: 6.tcp.eu.ngrok.io

Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://google.com

Source: NYQbqD59m8.exe, 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_3efde7a8-8

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: NYQbqD59m8.exe, type: SAMPLE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6480000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6480000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6480000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6100000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6100000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6100000.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6510000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6510000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6510000.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64d0000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64d0000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64d0000.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.65b0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.65b0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.65b0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.4095624.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.4095624.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.4095624.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6570000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6570000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6570000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dnshost.exe.2a881cc.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dnshost.exe.2a881cc.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dnshost.exe.2a881cc.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64c0000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64c0000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64c0000.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dnshost.exe.2a944a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dnshost.exe.2a944a0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dnshost.exe.2a944a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64f0000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64f0000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64f0000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.40893f2.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.40893f2.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.40893f2.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.dnshost.exe.2eb3188.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.dnshost.exe.2eb3188.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6100000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6100000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6100000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.353a424.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.353a424.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.353a424.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.64a0000.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.64a0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.64a0000.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6490000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6490000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6490000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6570000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6570000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6570000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6490000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6490000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6490000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.2222973541.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 5320, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 5320, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 1992, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Detects NanoCore Author: ditekSHen

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_05781A4A NtSetInformationProcess,	0_2_05781A4A
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_05781CEE NtQuerySystemInformation,	0_2_05781CEE
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_05781A19 NtSetInformationProcess,	0_2_05781A19
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_05781CB3 NtQuerySystemInformation,	0_2_05781CB3

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D9540	0_2_018D9540
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018DBC90	0_2_018DBC90
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018DC8E8	0_2_018DC8E8
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D3850	0_2_018D3850
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018DEF88	0_2_018DEF88
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D2FA8	0_2_018D2FA8
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D23A0	0_2_018D23A0
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018DC9AF	0_2_018DC9AF
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018DA140	0_2_018DA140
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D306F	0_2_018D306F
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018DA207	0_2_018DA207
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 6_2_01353850	6_2_01353850
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 6_2_013523A0	6_2_013523A0
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 6_2_01352FA8	6_2_01352FA8
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 6_2_0135306F	6_2_0135306F
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 6_2_013532BB	6_2_013532BB
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_00F223A0	7_2_00F223A0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_00F22FA8	7_2_00F22FA8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_00F2306F	7_2_00F2306F
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_011A3850	8_2_011A3850
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_011A2FA8	8_2_011A2FA8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_011A23A0	8_2_011A23A0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 8_2_011A306F	8_2_011A306F

Source: NYQbqD59m8.exe, 00000000.00000002.3007282854.00000000046EB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3004481555.000000000127E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011807561.00000000065BE000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011654427.0000000006598000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011592147.0000000006550000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011433086.0000000006518000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3007282854.0000000004714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000000.00000002.3010742958.0000000006124000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs NYQbqD59m8.exe
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NYQbqD59m8.exe

Source: NYQbqD59m8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: NYQbqD59m8.exe, type: SAMPLE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6510000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6480000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6480000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6480000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6100000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6100000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6100000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6510000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6510000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6510000.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64b0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64d0000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64d0000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64d0000.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64d0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.65b0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.65b0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.65b0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.4095624.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.4095624.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.4095624.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6570000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6570000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6570000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dnshost.exe.2a881cc.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dnshost.exe.2a881cc.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dnshost.exe.2a881cc.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64c0000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64c0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64c0000.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6110000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dnshost.exe.2a944a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dnshost.exe.2a944a0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dnshost.exe.2a944a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64f0000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64f0000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64f0000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6574c9f.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.40893f2.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.40893f2.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.40893f2.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.dnshost.exe.2eb3188.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.dnshost.exe.2eb3188.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6100000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6100000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6100000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.353a424.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.353a424.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.353a424.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.64a0000.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.64a0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.64a0000.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6110000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6490000.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6490000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6490000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6570000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6570000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6570000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6490000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6490000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6490000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.5e70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.657e8a4.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.2ff4398.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dnshost.exe.2a944a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.2fe3080.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dnshost.exe.2a881cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dnshost.exe.2a83188.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.2fe80c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.353a424.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.35293b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.NYQbqD59m8.exe.352e1e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.2222973541.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 5320, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 5320, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 5320, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 1992, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore

Source: NYQbqD59m8.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9995711238872403
Source: dnshost.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9995711238872403

Source: NYQbqD59m8.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NYQbqD59m8.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: NYQbqD59m8.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: NYQbqD59m8.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: NYQbqD59m8.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/8@22/6

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_057818CE AdjustTokenPrivileges,		0_2_057818CE
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_05781897 AdjustTokenPrivileges,		0_2_05781897

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File created: C:\Program Files (x86)\DNS Host

Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File created: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06

Jump to behavior

Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{3425541e-8f39-4854-8b6f-412dbeb4c734}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAA92.tmp

Jump to behavior

Source: NYQbqD59m8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NYQbqD59m8.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NYQbqD59m8.exe

ReversingLabs: Detection: 97%

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File read: C:\Users\user\Desktop\NYQbqD59m8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NYQbqD59m8.exe "C:\Users\user\Desktop\NYQbqD59m8.exe"
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAB1F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\NYQbqD59m8.exe C:\Users\user\Desktop\NYQbqD59m8.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAB1F.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: NYQbqD59m8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: NYQbqD59m8.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: NYQbqD59m8.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: NYQbqD59m8.exe, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.0.dr, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_014C752C push ecx; ret	0_2_014C752D
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_014C7538 push ebp; ret	0_2_014C7539
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_014C9DAC push 78014CCBh; retf	0_2_014C9DB1
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D1199 pushfd ; iretd	0_2_018D11A8
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D1178 pushfd ; iretd	0_2_018D1179
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_018D8E60 push esp; iretd	0_2_018D8E69
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_06561070 push es; ret	0_2_065610D0
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_06561070 push es; ret	0_2_065610F0
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_06561070 push es; ret	0_2_06561130
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_065610E0 push es; ret	0_2_065610F0
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_065648EF push es; ret	0_2_06564910
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_065610A2 push es; ret	0_2_06561130
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_065610AF push es; ret	0_2_065610D0
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_06564960 push es; ret	0_2_06564970
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_06561102 push es; ret	0_2_06561130
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_00F20973 push ss; retf	7_2_00F20974
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 7_2_00F20961 push ss; retf	7_2_00F20968

Source: 0.2.NYQbqD59m8.exe.65b0000.23.raw.unpack, --qJd9OTcxMymaLeJgopZ0E6cJ8wEYRupo5_MvD068wrJg-.cs

High entropy of concatenated method names: '_0023_003DqIvd_axMXWgtEQcwT21aF4IR0t7X49kzD_UZxD5y7TGA_003D', '_0023_003DquoWMHzoL7FK1_0024ThbF0tZmNIR5ehV9WBX5T3n8o4nkJR3PKjVZ4hc_FhYri6wAC91', '_0023_003DqtunDZ6U1TWQOW9RHjYkSMOcnLQVqSMtcpgIgVEHnPKDgpcFcbmmOzpHM_pdaGajK', '_0023_003DqfOB2KpyAHvjxQeHOAhVjt6yCPMwi4AoefTL_eT8y21clLWi2XsOJx6gJraSd_Aix', '_0023_003DqRyhx9ILnjVuhnuW4V7IpDgkOSNjsm2I5BbY9laNrvvo_003D', '_0023_003DqI6e8rOoDYdkEFMjPLo0JyY5mSmNAMXCIYrB92Qh3RRoLUFOXszVMvIBa28sgHzqA', '_0023_003DqpLVFWSXMPrGinbFa3SdRDimAugYEyHHHdjArxQC9bGysTkW_0024ujT3TpaQbnbo_0024kse', '_0023_003DqFELV49NPOlTdb1HoshEvno96hium03iwZj3KOu7uIgM_003D', '_0023_003Dq8yiYzLtGfEvwaJBz1YUwFGX655_fw_0024lPQ7vxwY1yIZKtJYo9yaCYbYN2Qm9bX4IQ', '_0023_003DqgZElzTjSoEAQ2QDRf_cAS6sGfidr1v9PhQnvAo9rcxQYP4faCcP5Z3lyd_0024kExa9y'

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File created: C:\Program Files (x86)\DNS Host\dnshost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp"

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

File opened: C:\Users\user\Desktop\NYQbqD59m8.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Memory allocated: 3510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Memory allocated: 1790000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Memory allocated: 4F80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1070000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Window / User API: threadDelayed 2316	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Window / User API: threadDelayed 4951	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Window / User API: foregroundWindowGot 776	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Window / User API: foregroundWindowGot 797	Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe TID: 572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe TID: 2460	Thread sleep time: -1158000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe TID: 3480	Thread sleep time: -380000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe TID: 2460	Thread sleep time: -2475500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe TID: 2272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 4668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 1220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Code function: 0_2_05781AF2 GetSystemInfo,

0_2_05781AF2

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: NYQbqD59m8.exe, 00000000.00000002.3004481555.00000000012F0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp"			Jump to behavior
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAB1F.tmp"			Jump to behavior

Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.00000000037F8000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003805000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003822000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.00000000037F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerP
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003822000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerL

Source: C:\Users\user\Desktop\NYQbqD59m8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: NYQbqD59m8.exe, type: SAMPLE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

Remote Access Functionality

Detected Nanocore Rat

Source: NYQbqD59m8.exe, 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: NYQbqD59m8.exe, 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: NYQbqD59m8.exe, 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: NYQbqD59m8.exe, 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: NYQbqD59m8.exe, 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: NYQbqD59m8.exe, 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: NYQbqD59m8.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe.0.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: NYQbqD59m8.exe, type: SAMPLE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6524629.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NYQbqD59m8.exe.6520000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.NYQbqD59m8.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40893f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.4095624.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.NYQbqD59m8.exe.40845c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NYQbqD59m8.exe PID: 5756, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_0578305E bind,		0_2_0578305E
Source: C:\Users\user\Desktop\NYQbqD59m8.exe	Code function: 0_2_0578300C bind,		0_2_0578300C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	2 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	12 Process Injection	LSA Secrets	3 System Information Discovery	SSH	Keylogging	1 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	11 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
NYQbqD59m8.exe	97%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
NYQbqD59m8.exe	100%	Avira	TR/Dropper.MSIL.Gen7
NYQbqD59m8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\DNS Host\dnshost.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Program Files (x86)\DNS Host\dnshost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DNS Host\dnshost.exe	97%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore

Source	Detection	Scanner	Label	Link
http://google.com	0%	Avira URL Cloud	safe
6.tcp.eu.ngrok.io	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
6.tcp.eu.ngrok.io	3.69.115.178	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true		unknown
6.tcp.eu.ngrok.io	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com	NYQbqD59m8.exe, 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, NYQbqD59m8.exe, 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.66.38.117	unknown	United States	16509	AMAZON-02US	false
52.28.247.255	unknown	United States	16509	AMAZON-02US	false
18.197.239.109	unknown	United States	16509	AMAZON-02US	false
3.69.115.178	6.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
3.68.171.119	unknown	United States	16509	AMAZON-02US	false
3.69.157.220	unknown	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1485500
Start date and time:	2024-07-31 18:31:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	NYQbqD59m8.exe renamed because original name is a hash value
Original Sample Name:	2D5B4052BA6E888D0A2E8B044BC04651.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/8@22/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 488 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: NYQbqD59m8.exe

Simulations

Behavior and APIs

Time	Type	Description
12:31:57	API Interceptor	628415x Sleep call for process: NYQbqD59m8.exe modified
12:31:59	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DNS Host C:\Program Files (x86)\DNS Host\dnshost.exe
18:31:59	Task Scheduler	Run new task: DNS Host path: "C:\Users\user\Desktop\NYQbqD59m8.exe" s>$(Arg0)
18:31:59	Task Scheduler	Run new task: DNS Host Task path: "C:\Program Files (x86)\DNS Host\dnshost.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
3.66.38.117	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse
	NfJ0jC2dPr.exe	Get hash	malicious	Njrat	Browse
	ziTLBa3N50.exe	Get hash	malicious	Njrat	Browse
	1.exe	Get hash	malicious	Njrat	Browse
	226dVJ2zRZ.exe	Get hash	malicious	Njrat	Browse
	IsJb5hB84q.exe	Get hash	malicious	Njrat	Browse
	Terraria.exe	Get hash	malicious	Njrat	Browse
52.28.247.255	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse
	M5vARlA2c4.exe	Get hash	malicious	Njrat	Browse
	1.exe	Get hash	malicious	Njrat	Browse
	rkIcS0Y2WY.exe	Get hash	malicious	Njrat	Browse
	N1aqZIb7KG.exe	Get hash	malicious	Njrat	Browse
	QsKtlzYaKF.exe	Get hash	malicious	Njrat	Browse
	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse
	X5eo58PPCB.exe	Get hash	malicious	Njrat	Browse
18.197.239.109	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse
	Client.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	zyx3qItgQK.exe	Get hash	malicious	Njrat	Browse
	226dVJ2zRZ.exe	Get hash	malicious	Njrat	Browse
	IsJb5hB84q.exe	Get hash	malicious	Njrat	Browse
	rkIcS0Y2WY.exe	Get hash	malicious	Njrat	Browse
	30b4CoDmKk.exe	Get hash	malicious	Njrat	Browse
	N1aqZIb7KG.exe	Get hash	malicious	Njrat	Browse
	dKe1GfZOs1.exe	Get hash	malicious	Njrat	Browse
3.69.115.178	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
	1iZH7aeO5F.exe	Get hash	malicious	Njrat	Browse
	YTYyFVemXR.exe	Get hash	malicious	Njrat	Browse
	zyx3qItgQK.exe	Get hash	malicious	Njrat	Browse
	ziTLBa3N50.exe	Get hash	malicious	Njrat	Browse
	IsJb5hB84q.exe	Get hash	malicious	Njrat	Browse
	myidJB8lDL.exe	Get hash	malicious	Njrat	Browse
	rkIcS0Y2WY.exe	Get hash	malicious	Njrat	Browse
	30b4CoDmKk.exe	Get hash	malicious	Njrat	Browse
	QsKtlzYaKF.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6.tcp.eu.ngrok.io	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	3.69.115.178
	1iZH7aeO5F.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	mhYCwt8wBz.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	592CDAD0A5B0AE90E0C812AECB2677096AF06CF941CE2.exe	Get hash	malicious	Njrat	Browse	52.28.247.255
	U22p1GcCSb.exe	Get hash	malicious	Njrat	Browse	3.66.38.117
	Client.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	3.69.157.220
	M5vARlA2c4.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	YTYyFVemXR.exe	Get hash	malicious	Njrat	Browse	3.68.171.119
	zyx3qItgQK.exe	Get hash	malicious	Njrat	Browse	3.69.115.178
	NfJ0jC2dPr.exe	Get hash	malicious	Njrat	Browse	3.69.157.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	76.223.67.189
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.155.31
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	http://proposaljennycarlys.wordpress.com	Get hash	malicious	Unknown	Browse	18.245.31.5
	https://kaloramapartnersllc.freshdesk.com/en/support/solutions/articles/154000170546-secure-business-documents	Get hash	malicious	Unknown	Browse	13.35.58.5
	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	108.157.194.11
	https://updatingftsmkkoogjjjgjjhikvesdreal-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#c2VydmljZS5uYUBnZWxpdGEuY29t	Get hash	malicious	HtmlDropper	Browse	76.76.21.241
	https://quicknitro.shop/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://url-shield.securence.com/?p=1.0&r=vic@brodtinsurance.com&sid=1722373351257-084-00215276&s=2cgbtu52&n=bsecxhls3&ms=0.1,0.1,0.0,0.0&u=https%3A%2F%2Fhihello.me%2Fp%2F8e6a4dfa-7e69-4649-8591-556374951f64%3Fsharer_id%3DrmwO6QfrRwZg9SBrgXYDqyYh0l12	Get hash	malicious	Unknown	Browse	34.215.17.89
	https://jobsnearmeusa.com/Exit?adgroupid=109677066428&adposition=&campaignid=10045193036&creative=487634015749&device=c&feeditemid=&keyword=clasificado&loc_interest_ms=&loc_physical_ms=9007454&matchtype=b&placement=&q=clasificado&targetid=kwd-24416206&utm_campaign=10045193036_109677066428&utm_content=487634015749&utm_medium=cpc&utm_source=google-sem&utm_term=clasificado	Get hash	malicious	Unknown	Browse	3.165.190.78
AMAZON-02US	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	76.223.67.189
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.155.31
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	http://proposaljennycarlys.wordpress.com	Get hash	malicious	Unknown	Browse	18.245.31.5
	https://kaloramapartnersllc.freshdesk.com/en/support/solutions/articles/154000170546-secure-business-documents	Get hash	malicious	Unknown	Browse	13.35.58.5
	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	108.157.194.11
	https://updatingftsmkkoogjjjgjjhikvesdreal-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#c2VydmljZS5uYUBnZWxpdGEuY29t	Get hash	malicious	HtmlDropper	Browse	76.76.21.241
	https://quicknitro.shop/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://url-shield.securence.com/?p=1.0&r=vic@brodtinsurance.com&sid=1722373351257-084-00215276&s=2cgbtu52&n=bsecxhls3&ms=0.1,0.1,0.0,0.0&u=https%3A%2F%2Fhihello.me%2Fp%2F8e6a4dfa-7e69-4649-8591-556374951f64%3Fsharer_id%3DrmwO6QfrRwZg9SBrgXYDqyYh0l12	Get hash	malicious	Unknown	Browse	34.215.17.89
	https://jobsnearmeusa.com/Exit?adgroupid=109677066428&adposition=&campaignid=10045193036&creative=487634015749&device=c&feeditemid=&keyword=clasificado&loc_interest_ms=&loc_physical_ms=9007454&matchtype=b&placement=&q=clasificado&targetid=kwd-24416206&utm_campaign=10045193036_109677066428&utm_content=487634015749&utm_medium=cpc&utm_source=google-sem&utm_term=clasificado	Get hash	malicious	Unknown	Browse	3.165.190.78
AMAZON-02US	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	76.223.67.189
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.155.31
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	http://proposaljennycarlys.wordpress.com	Get hash	malicious	Unknown	Browse	18.245.31.5
	https://kaloramapartnersllc.freshdesk.com/en/support/solutions/articles/154000170546-secure-business-documents	Get hash	malicious	Unknown	Browse	13.35.58.5
	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	108.157.194.11
	https://updatingftsmkkoogjjjgjjhikvesdreal-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#c2VydmljZS5uYUBnZWxpdGEuY29t	Get hash	malicious	HtmlDropper	Browse	76.76.21.241
	https://quicknitro.shop/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://url-shield.securence.com/?p=1.0&r=vic@brodtinsurance.com&sid=1722373351257-084-00215276&s=2cgbtu52&n=bsecxhls3&ms=0.1,0.1,0.0,0.0&u=https%3A%2F%2Fhihello.me%2Fp%2F8e6a4dfa-7e69-4649-8591-556374951f64%3Fsharer_id%3DrmwO6QfrRwZg9SBrgXYDqyYh0l12	Get hash	malicious	Unknown	Browse	34.215.17.89
	https://jobsnearmeusa.com/Exit?adgroupid=109677066428&adposition=&campaignid=10045193036&creative=487634015749&device=c&feeditemid=&keyword=clasificado&loc_interest_ms=&loc_physical_ms=9007454&matchtype=b&placement=&q=clasificado&targetid=kwd-24416206&utm_campaign=10045193036_109677066428&utm_content=487634015749&utm_medium=cpc&utm_source=google-sem&utm_term=clasificado	Get hash	malicious	Unknown	Browse	3.165.190.78
AMAZON-02US	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	76.223.67.189
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.155.31
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	http://proposaljennycarlys.wordpress.com	Get hash	malicious	Unknown	Browse	18.245.31.5
	https://kaloramapartnersllc.freshdesk.com/en/support/solutions/articles/154000170546-secure-business-documents	Get hash	malicious	Unknown	Browse	13.35.58.5
	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	108.157.194.11
	https://updatingftsmkkoogjjjgjjhikvesdreal-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#c2VydmljZS5uYUBnZWxpdGEuY29t	Get hash	malicious	HtmlDropper	Browse	76.76.21.241
	https://quicknitro.shop/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://url-shield.securence.com/?p=1.0&r=vic@brodtinsurance.com&sid=1722373351257-084-00215276&s=2cgbtu52&n=bsecxhls3&ms=0.1,0.1,0.0,0.0&u=https%3A%2F%2Fhihello.me%2Fp%2F8e6a4dfa-7e69-4649-8591-556374951f64%3Fsharer_id%3DrmwO6QfrRwZg9SBrgXYDqyYh0l12	Get hash	malicious	Unknown	Browse	34.215.17.89
	https://jobsnearmeusa.com/Exit?adgroupid=109677066428&adposition=&campaignid=10045193036&creative=487634015749&device=c&feeditemid=&keyword=clasificado&loc_interest_ms=&loc_physical_ms=9007454&matchtype=b&placement=&q=clasificado&targetid=kwd-24416206&utm_campaign=10045193036_109677066428&utm_content=487634015749&utm_medium=cpc&utm_source=google-sem&utm_term=clasificado	Get hash	malicious	Unknown	Browse	3.165.190.78
AMAZON-02US	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	76.223.67.189
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.155.31
	BraveBrowserSetup-BRV010.exe	Get hash	malicious	Unknown	Browse	18.244.18.32
	http://proposaljennycarlys.wordpress.com	Get hash	malicious	Unknown	Browse	18.245.31.5
	https://kaloramapartnersllc.freshdesk.com/en/support/solutions/articles/154000170546-secure-business-documents	Get hash	malicious	Unknown	Browse	13.35.58.5
	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	108.157.194.11
	https://updatingftsmkkoogjjjgjjhikvesdreal-vercel-app.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp#c2VydmljZS5uYUBnZWxpdGEuY29t	Get hash	malicious	HtmlDropper	Browse	76.76.21.241
	https://quicknitro.shop/	Get hash	malicious	HTMLPhisher	Browse	76.76.21.22
	https://url-shield.securence.com/?p=1.0&r=vic@brodtinsurance.com&sid=1722373351257-084-00215276&s=2cgbtu52&n=bsecxhls3&ms=0.1,0.1,0.0,0.0&u=https%3A%2F%2Fhihello.me%2Fp%2F8e6a4dfa-7e69-4649-8591-556374951f64%3Fsharer_id%3DrmwO6QfrRwZg9SBrgXYDqyYh0l12	Get hash	malicious	Unknown	Browse	34.215.17.89
	https://jobsnearmeusa.com/Exit?adgroupid=109677066428&adposition=&campaignid=10045193036&creative=487634015749&device=c&feeditemid=&keyword=clasificado&loc_interest_ms=&loc_physical_ms=9007454&matchtype=b&placement=&q=clasificado&targetid=kwd-24416206&utm_campaign=10045193036_109677066428&utm_content=487634015749&utm_medium=cpc&utm_source=google-sem&utm_term=clasificado	Get hash	malicious	Unknown	Browse	3.165.190.78

Process:	C:\Users\user\Desktop\NYQbqD59m8.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	462848
Entropy (8bit):	7.846150082667742
Encrypted:	false
SSDEEP:	12288:8LV6BtpmkAuJO+CCSswmAf9CoPhxLz5zACZZ0d:OApfA7+XVwDY0hxLz5sCn0d
MD5:	2D5B4052BA6E888D0A2E8B044BC04651
SHA1:	7C23A7EA336CEB57D3C9D43B38B5D7E6B2265443
SHA-256:	C00FF750DA6D963181A49A76E0EC0C39BD58FA6F8926227543C3D65246AC4A17
SHA-512:	2FA5F0A2DD0D0F13A258AA97A96195B4F63441A79A3D60EDF96684EE3C09525E783EA4C28629982420121A6D23099099C76075559FB3D0A86F8E2AA8D91AB5ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: unknown Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................F........... ........@.. ......................................................................8...W.... ...B........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....B... ...D..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\NYQbqD59m8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NYQbqD59m8.exe.log

Download File

Process:	C:\Users\user\Desktop\NYQbqD59m8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk70Ug+9pfu9tv:MLF2CpI329Iz52VMzffuT
MD5:	BAF1CCDBBF490EC9AD4777DEA18A088E
SHA1:	182D70FB02C352E77B48E8659283D448143AE92B
SHA-256:	7712762A17AA3E6D3F233930BF94E91878F87A9C1C3010AC5346A4E615197E81
SHA-512:	53B86FAC03DD2FA75D140143C9B1D7F49FC1E9605DAE1B894910848864D153F239676B0AF37E5666EA9E606EED8F3BF180846ADC6DB82B7840F3C1AC2EFCDEA8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dnshost.exe.log

Download File

Process:	C:\Program Files (x86)\DNS Host\dnshost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.259753436570609
Encrypted:	false
SSDEEP:	12:Q3LaJU2C9XAn10U29xtUz1B0U2uk71K6xhk70Ug+9pfu9tv:MLF2CpI329Iz52VMzffuT
MD5:	BAF1CCDBBF490EC9AD4777DEA18A088E
SHA1:	182D70FB02C352E77B48E8659283D448143AE92B
SHA-256:	7712762A17AA3E6D3F233930BF94E91878F87A9C1C3010AC5346A4E615197E81
SHA-512:	53B86FAC03DD2FA75D140143C9B1D7F49FC1E9605DAE1B894910848864D153F239676B0AF37E5666EA9E606EED8F3BF180846ADC6DB82B7840F3C1AC2EFCDEA8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpAA92.tmp

Download File

Process:	C:\Users\user\Desktop\NYQbqD59m8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.125016082987613
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Puxtn:cbk4oL600QydbQxIYODOLedq3Suj
MD5:	4759FE5A3770F39F75F754B5AB953C46
SHA1:	46E1194588732AC7D756649BFE37E16613445032
SHA-256:	88710831658C2A24E887776277AFF83AC014E5D93C726A737BC111FE35CEB970
SHA-512:	ABBEA7E3079B52BA576F7D234793BEA47929F741CBBDA5324605CF2F9849681D2D3EC5B8CF4758500DE65FED09D7A6ABBD0A14709AEB7611A2C3872B6B1E1DFE
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpAB1F.tmp

Download File

Process:	C:\Users\user\Desktop\NYQbqD59m8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1306
Entropy (8bit):	5.104451641222393
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R9lxtn:cbk4oL600QydbQxIYODOLedq3S9lj
MD5:	CFD32F0E8DBE9B358E7445116E8FC086
SHA1:	00D89923A223372FAC166743853397ABD974825B
SHA-256:	3662F5D5D156CFA337FF07F335FC9D34B46E66DB3A7A2CF69C820DD4BA273ADD
SHA-512:	A190E08EDA457DF3FA3C25AA4C1211DDB8377B2C04BB3B16110F5C0FF1E440A709A1FB6543357C8625C323A1BF4E52ECF74115C1382A6EC10BBA657F42DF5014
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Download File

Process:	C:\Users\user\Desktop\NYQbqD59m8.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:d:d
MD5:	13531D250804A1BEA28AD33E345E9E35
SHA1:	4C36630FFB3FC12ED4E57099A2446C31C7BC64A5
SHA-256:	213746442485228A327130B6CC63E75C3B5A06159C9A2873627196D64F87E6FC
SHA-512:	E827A2CDB39E4AF5A1D707BB7ED500A494120C4C18DA4E8CCC0862931CEDA2EB0ED958CD5D5FCE18B7D3BCFA624175CE38B0E468A8968285D90442F46946A258
Malicious:	true
Preview:	.z.K~..H

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\task.dat

Download File

Process:	C:\Users\user\Desktop\NYQbqD59m8.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.511085408180429
Encrypted:	false
SSDEEP:	3:oNUWJRWrddD0C:oNNJApN0C
MD5:	4F0AC8B3D204990F150D097ADFF13425
SHA1:	F36B072C5DFCA3DFD97F255EE12A2A940FB5D967
SHA-256:	1158399E0F60E7B0837BBE074A4DE40856DC8B7904899962EECD99DAB4C0CCD5
SHA-512:	05FFAED96CFBD39E7F2829449A34D05669FB16378ECE5414A6BE9252DF3492C3D448727FFF0EBC1F89C413AFC0C99ECDC0EE62C766C659BD46264136C84BC18D
Malicious:	false
Preview:	C:\Users\user\Desktop\NYQbqD59m8.exe

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.846150082667742
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NYQbqD59m8.exe
File size:	462'848 bytes
MD5:	2d5b4052ba6e888d0a2e8b044bc04651
SHA1:	7c23a7ea336ceb57d3c9d43b38b5d7e6b2265443
SHA256:	c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17
SHA512:	2fa5f0a2dd0d0f13a258aa97a96195b4f63441a79a3d60edf96684ee3c09525e783ea4c28629982420121a6d23099099c76075559fb3d0a86f8e2aa8d91ab5ed
SSDEEP:	12288:8LV6BtpmkAuJO+CCSswmAf9CoPhxLz5zACZZ0d:OApfA7+XVwDY0hxLz5sCn0d
TLSH:	A1A401563BA4852FD2CE8AB8711612165379C3E3EDD3F3EE1AE060B24B623E546071D7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................F........... ........@.. .....................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41e792
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e738	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x542d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1c798	0x1c800	0163b36af921454a0440dcdda687edab	False	0.5945038377192983	data	6.598095970293904	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xc	0x200	fa81a8e21b7ba0db59d9a42aa7a5e570	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x542d8	0x54400	72ac4f52ff1caa4ecffac31aa7fbc383	False	0.9995711238872403	data	7.99943257812841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x22058	0x54280	data			1.0003365206089863

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-31T18:32:33.858566+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49718	13201	192.168.2.5	3.68.171.119
2024-07-31T18:33:03.960456+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:20.108576+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49714	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:00.064900+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:00.629397+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:44.983281+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:33:32.592610+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49731	13201	192.168.2.5	3.66.38.117
2024-07-31T18:33:14.686380+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49727	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:59.030067+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:33:04.030336+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:31:59.936690+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:59.061415+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:10.139466+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49706	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:15.518469+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49707	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:05.030315+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49705	13201	192.168.2.5	3.69.157.220
2024-07-31T18:31:59.605396+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:44.921054+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:49.412071+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:29.155382+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49717	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:49.358340+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:05.358527+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49705	13201	192.168.2.5	3.69.157.220
2024-07-31T18:33:04.124264+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:33:32.576994+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49731	13201	192.168.2.5	3.66.38.117
2024-07-31T18:32:54.358690+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:44.811436+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:00.236247+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:33:03.973406+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:05.155242+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49705	13201	192.168.2.5	3.69.157.220
2024-07-31T18:33:23.353659+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49729	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:24.811553+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49716	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:49.873806+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:00.545799+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:54.514506+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:40.116169+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49719	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:09.678369+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49706	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:49.234948+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:50.025219+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:33.983377+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49718	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:49.640953+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:59.552305+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:54.749012+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:04.155341+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:24.256398+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49716	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:08.579280+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49726	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:29.502705+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49717	13201	192.168.2.5	3.69.157.220
2024-07-31T18:33:04.280189+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:04.840198+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49705	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:44.531241+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:09.702419+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49706	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:05.217781+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49705	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:39.472145+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49719	13201	192.168.2.5	18.197.239.109
2024-07-31T18:33:23.359296+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49729	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:34.517603+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49718	13201	192.168.2.5	3.68.171.119
2024-07-31T18:33:28.507703+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49730	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:54.545793+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:29.005256+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49717	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:45.155129+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:19.861224+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49714	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:49.264643+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:04.905401+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49705	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:54.248965+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:04.186407+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:15.139641+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49707	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:58.986249+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:33:19.001161+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49728	13201	192.168.2.5	3.66.38.117
2024-07-31T18:32:24.561536+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49716	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:15.202156+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49707	13201	192.168.2.5	3.68.171.119
2024-07-31T18:33:08.592590+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49726	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:15.327257+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49707	13201	192.168.2.5	3.68.171.119
2024-07-31T18:33:04.061455+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:10.431398+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49706	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:54.948120+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:32.557617+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49731	13201	192.168.2.5	3.66.38.117
2024-07-31T18:32:24.374022+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49716	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:14.807656+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49707	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:54.295947+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:19.014494+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49728	13201	192.168.2.5	3.66.38.117
2024-07-31T18:32:54.623878+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:54.670813+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:45.092860+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:31:59.873998+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:09.827185+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49706	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:33.733575+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49718	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:54.210370+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49722	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:15.014655+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49707	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:44.702060+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:59.608401+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:29.280442+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49717	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:34.108423+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49718	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:59.577128+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:19.549017+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49714	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:59.295717+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:24.686529+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49716	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:14.662778+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49727	13201	192.168.2.5	52.28.247.255
2024-07-31T18:31:59.627562+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:19.655362+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49714	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:44.545764+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:33:23.374094+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49729	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:39.624522+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49719	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:19.788107+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49714	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:19.983652+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49714	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:39.546137+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49719	13201	192.168.2.5	18.197.239.109
2024-07-31T18:33:04.217758+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:31:59.749064+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49704	13201	192.168.2.5	3.69.115.178
2024-07-31T18:32:14.889622+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49707	13201	192.168.2.5	3.68.171.119
2024-07-31T18:33:08.566610+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49726	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:14.671198+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49727	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:58.998826+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49724	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:34.326961+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49718	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:24.437110+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49716	13201	192.168.2.5	52.28.247.255
2024-07-31T18:33:03.998901+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49725	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:44.592679+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49720	13201	192.168.2.5	18.197.239.109
2024-07-31T18:33:14.652117+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49727	13201	192.168.2.5	52.28.247.255
2024-07-31T18:32:29.530213+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49717	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:29.092795+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49717	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:33.719027+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	49718	13201	192.168.2.5	3.68.171.119
2024-07-31T18:32:39.936472+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49719	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:29.593032+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49717	13201	192.168.2.5	3.69.157.220
2024-07-31T18:32:49.502859+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49721	13201	192.168.2.5	18.197.239.109
2024-07-31T18:32:54.437748+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	49722	13201	192.168.2.5	52.28.247.255

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 18:31:59.592052937 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:31:59.597172976 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:31:59.597273111 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:31:59.605396032 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:31:59.610908985 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:31:59.627562046 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:31:59.699928045 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:31:59.749063969 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:31:59.754014969 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:31:59.873997927 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:31:59.879101992 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:31:59.936690092 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:31:59.972099066 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.064899921 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:32:00.079724073 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.236247063 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:32:00.545799017 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:32:00.629232883 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.629333019 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.629396915 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:32:00.629472017 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.629507065 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:32:00.630213976 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.630251884 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:32:00.630981922 CEST	49704	13201	192.168.2.5	3.69.115.178
Jul 31, 2024 18:32:00.634632111 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.634677887 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.636670113 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.636698961 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:00.636764050 CEST	13201	49704	3.69.115.178	192.168.2.5
Jul 31, 2024 18:32:04.833739042 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:04.839603901 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:04.839699030 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:04.840198040 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:04.845555067 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:04.905400991 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:04.910449982 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:05.030314922 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:05.035446882 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:05.155241966 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:05.161272049 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:05.217781067 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:05.223157883 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:05.358526945 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:05.363512993 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:05.480544090 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:05.480798006 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:05.482297897 CEST	13201	49705	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:05.482374907 CEST	49705	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:09.672782898 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:09.677956104 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:09.678034067 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:09.678369045 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:09.683228016 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:09.702419043 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:09.712896109 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:09.827184916 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:10.139466047 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:10.431282997 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:10.431328058 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:10.431397915 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:10.431484938 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:10.431512117 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:10.431545973 CEST	49706	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:10.434187889 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:10.434237003 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:10.438597918 CEST	13201	49706	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:14.802270889 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:14.807214022 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:14.807297945 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:14.807656050 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:14.812525034 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:14.889621973 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:14.894911051 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.014655113 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:15.020221949 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.139641047 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:15.144812107 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.202156067 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:15.207412958 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.327256918 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:15.518347979 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.518372059 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.518469095 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:15.518471003 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.518527031 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:15.518553972 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.519598007 CEST	49707	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:15.523422956 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:15.523441076 CEST	13201	49707	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:19.542749882 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:19.547911882 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:19.548008919 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:19.549016953 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:19.554069996 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:19.655361891 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:19.660393953 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:19.788106918 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:19.793170929 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:19.861223936 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:19.866245031 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:19.983652115 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:19.988928080 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:20.108576059 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:20.114053011 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:20.222342968 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:20.222589970 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:20.222949982 CEST	13201	49714	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:20.223011971 CEST	49714	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.250344992 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.255789995 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.255865097 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.256397963 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.262361050 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.374022007 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.379193068 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.437109947 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.442295074 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.561536074 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.567692995 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.686528921 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.692424059 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.811553001 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.816706896 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.922590017 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.922765970 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:24.923669100 CEST	13201	49716	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:24.923734903 CEST	49716	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:28.999115944 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.004821062 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.004904985 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.005255938 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.010015965 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.092794895 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.097732067 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.155381918 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.160409927 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.280441999 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.502640009 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.502705097 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.527107000 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.530213118 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.535437107 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.593031883 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.597997904 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.638267040 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.638912916 CEST	13201	49717	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:29.638963938 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:29.654525042 CEST	49717	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:33.713381052 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:33.718602896 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:33.718683004 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:33.719027042 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:33.724014044 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:33.733575106 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:33.738497019 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:33.858566046 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:33.863922119 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:33.983376980 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:33.988787889 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:34.108422995 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:34.326961040 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:34.517401934 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:34.517602921 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:34.517602921 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:34.517636061 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:34.517684937 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:34.517685890 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:34.517760038 CEST	49718	13201	192.168.2.5	3.68.171.119
Jul 31, 2024 18:32:34.523967981 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:34.524084091 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:34.525113106 CEST	13201	49718	3.68.171.119	192.168.2.5
Jul 31, 2024 18:32:39.465812922 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:39.471651077 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:39.471832991 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:39.472145081 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:39.478260040 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:39.546137094 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:39.551250935 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:39.624521971 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:39.936471939 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:40.116080046 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:40.116134882 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:40.116168976 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:40.127762079 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:40.184561968 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:40.185395002 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:40.186661959 CEST	13201	49719	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:40.186729908 CEST	49719	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.525748968 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.530781984 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:44.530961990 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.531240940 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.540803909 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:44.545763969 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.551040888 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:44.592679024 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.598170042 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:44.702059984 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.707103968 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:44.811435938 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.816414118 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:44.921053886 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.926404953 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:44.983280897 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:44.989759922 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:45.092859983 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:45.097959995 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:45.155128956 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:45.160243988 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:45.206803083 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:45.207019091 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:45.207142115 CEST	13201	49720	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:45.207194090 CEST	49720	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.229123116 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.234534979 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:49.234638929 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.234947920 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.240075111 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:49.264642954 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.320698977 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:49.358340025 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.412013054 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:49.412070990 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.417499065 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:49.502859116 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.507889032 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:49.640953064 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:49.873806000 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:50.024983883 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:50.025218964 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:50.025293112 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:50.025607109 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:50.025635004 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:50.025659084 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:50.025685072 CEST	49721	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:32:50.029299021 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:50.029429913 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:50.031785011 CEST	13201	49721	18.197.239.109	192.168.2.5
Jul 31, 2024 18:32:54.203968048 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.210016012 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.210103989 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.210370064 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.215480089 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.248965025 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.254410982 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.295947075 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.300935030 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.358690023 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.363591909 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.437747955 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.442918062 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.514506102 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.519335985 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.545793056 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.551722050 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.623878002 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.629249096 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.670813084 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.675805092 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.749011993 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.948028088 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.948080063 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.948107004 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.948120117 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.948143959 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.948162079 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.948231936 CEST	49722	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:32:54.954735041 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.954762936 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.954788923 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:54.954837084 CEST	13201	49722	52.28.247.255	192.168.2.5
Jul 31, 2024 18:32:58.976960897 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:58.985891104 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:58.985980988 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:58.986248970 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:58.992693901 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:58.998826027 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.005548000 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.030066967 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.036003113 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.061414957 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.295717001 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.552129984 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.552150011 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.552304983 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.562695980 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.577127934 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.596733093 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.608401060 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.616405964 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.660466909 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.661537886 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:32:59.661776066 CEST	13201	49724	3.69.157.220	192.168.2.5
Jul 31, 2024 18:32:59.661824942 CEST	49724	13201	192.168.2.5	3.69.157.220
Jul 31, 2024 18:33:03.954006910 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:03.960059881 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:03.960158110 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:03.960455894 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:03.973334074 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:03.973406076 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:03.978852034 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:03.998900890 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.005448103 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.030335903 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.035361052 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.061455011 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.066926003 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.124264002 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.129441023 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.155340910 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.160686970 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.186407089 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.191433907 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.217757940 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.222732067 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.280189037 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.530304909 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:04.606515884 CEST	13201	49725	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:04.606633902 CEST	49725	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:08.559420109 CEST	49726	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:08.564321995 CEST	13201	49726	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:08.566317081 CEST	49726	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:08.566610098 CEST	49726	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:08.575678110 CEST	13201	49726	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:08.579279900 CEST	49726	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:08.585885048 CEST	13201	49726	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:08.592590094 CEST	49726	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:08.597927094 CEST	13201	49726	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:08.608506918 CEST	49726	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:14.302072048 CEST	49727	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:14.651487112 CEST	13201	49727	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:14.651640892 CEST	49727	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:14.652117014 CEST	49727	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:14.662668943 CEST	13201	49727	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:14.662777901 CEST	49727	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:14.668848991 CEST	13201	49727	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:14.671197891 CEST	49727	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:14.676620007 CEST	13201	49727	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:14.686379910 CEST	49727	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:14.691469908 CEST	13201	49727	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:14.702075005 CEST	49727	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:18.996027946 CEST	49728	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:19.000797033 CEST	13201	49728	3.66.38.117	192.168.2.5
Jul 31, 2024 18:33:19.000893116 CEST	49728	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:19.001161098 CEST	49728	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:19.006361961 CEST	13201	49728	3.66.38.117	192.168.2.5
Jul 31, 2024 18:33:19.014493942 CEST	49728	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:19.019718885 CEST	13201	49728	3.66.38.117	192.168.2.5
Jul 31, 2024 18:33:19.030065060 CEST	49728	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:23.348017931 CEST	49729	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:23.353274107 CEST	13201	49729	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:23.353349924 CEST	49729	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:23.353658915 CEST	49729	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:23.359230995 CEST	13201	49729	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:23.359296083 CEST	49729	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:23.364434958 CEST	13201	49729	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:23.374094009 CEST	49729	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:23.379966974 CEST	13201	49729	18.197.239.109	192.168.2.5
Jul 31, 2024 18:33:23.389674902 CEST	49729	13201	192.168.2.5	18.197.239.109
Jul 31, 2024 18:33:28.495327950 CEST	49730	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:28.506613016 CEST	13201	49730	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:28.506689072 CEST	49730	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:28.507703066 CEST	49730	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:28.514059067 CEST	13201	49730	52.28.247.255	192.168.2.5
Jul 31, 2024 18:33:28.514425993 CEST	49730	13201	192.168.2.5	52.28.247.255
Jul 31, 2024 18:33:32.543638945 CEST	49731	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:32.548491001 CEST	13201	49731	3.66.38.117	192.168.2.5
Jul 31, 2024 18:33:32.548571110 CEST	49731	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:32.557616949 CEST	49731	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:32.564402103 CEST	13201	49731	3.66.38.117	192.168.2.5
Jul 31, 2024 18:33:32.576993942 CEST	49731	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:32.582119942 CEST	13201	49731	3.66.38.117	192.168.2.5
Jul 31, 2024 18:33:32.592609882 CEST	49731	13201	192.168.2.5	3.66.38.117
Jul 31, 2024 18:33:32.597722054 CEST	13201	49731	3.66.38.117	192.168.2.5
Jul 31, 2024 18:33:32.608217001 CEST	49731	13201	192.168.2.5	3.66.38.117

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 18:31:59.183490038 CEST	50985	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:31:59.570081949 CEST	53	50985	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:04.654438019 CEST	62493	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:04.832669020 CEST	53	62493	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:09.616172075 CEST	51262	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:09.648857117 CEST	53	51262	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:14.437982082 CEST	59985	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:14.801420927 CEST	53	59985	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:19.531606913 CEST	62929	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:19.541872025 CEST	53	62929	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:24.234946012 CEST	56719	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:24.249608994 CEST	53	56719	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:28.938335896 CEST	51011	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:28.998239994 CEST	53	51011	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:33.703638077 CEST	52354	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:33.712779999 CEST	53	52354	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:38.531820059 CEST	50750	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:39.465054989 CEST	53	50750	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:44.187961102 CEST	51818	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:44.524621010 CEST	53	51818	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:49.220017910 CEST	49935	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:49.228413105 CEST	53	49935	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:54.042659998 CEST	51609	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:54.203353882 CEST	53	51609	8.8.8.8	192.168.2.5
Jul 31, 2024 18:32:58.953037977 CEST	51278	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:32:58.976285934 CEST	53	51278	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:03.672585011 CEST	56801	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:03.953177929 CEST	53	56801	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:08.546914101 CEST	49988	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:08.554533958 CEST	53	49988	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:12.625195980 CEST	64519	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:13.653506994 CEST	64519	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:14.300951004 CEST	53	64519	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:14.301311970 CEST	53	64519	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:18.720943928 CEST	59350	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:18.995217085 CEST	53	59350	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:23.046813011 CEST	65103	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:23.347378016 CEST	53	65103	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:27.418225050 CEST	54074	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:28.421425104 CEST	54074	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:28.494524002 CEST	53	54074	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:28.494554043 CEST	53	54074	8.8.8.8	192.168.2.5
Jul 31, 2024 18:33:32.535809994 CEST	57029	53	192.168.2.5	8.8.8.8
Jul 31, 2024 18:33:32.542846918 CEST	53	57029	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 31, 2024 18:31:59.183490038 CEST	192.168.2.5	8.8.8.8	0x7da8	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:04.654438019 CEST	192.168.2.5	8.8.8.8	0xb1d3	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:09.616172075 CEST	192.168.2.5	8.8.8.8	0xed89	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:14.437982082 CEST	192.168.2.5	8.8.8.8	0xbde6	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:19.531606913 CEST	192.168.2.5	8.8.8.8	0xe9af	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:24.234946012 CEST	192.168.2.5	8.8.8.8	0xb7d1	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:28.938335896 CEST	192.168.2.5	8.8.8.8	0x209	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:33.703638077 CEST	192.168.2.5	8.8.8.8	0xb2c9	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:38.531820059 CEST	192.168.2.5	8.8.8.8	0xeeb9	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:44.187961102 CEST	192.168.2.5	8.8.8.8	0xdf03	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:49.220017910 CEST	192.168.2.5	8.8.8.8	0x1c53	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:54.042659998 CEST	192.168.2.5	8.8.8.8	0x87b8	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:58.953037977 CEST	192.168.2.5	8.8.8.8	0x37bf	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:03.672585011 CEST	192.168.2.5	8.8.8.8	0xa78c	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:08.546914101 CEST	192.168.2.5	8.8.8.8	0xcab0	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:12.625195980 CEST	192.168.2.5	8.8.8.8	0x416a	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:13.653506994 CEST	192.168.2.5	8.8.8.8	0x416a	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:18.720943928 CEST	192.168.2.5	8.8.8.8	0xfe71	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:23.046813011 CEST	192.168.2.5	8.8.8.8	0xee3b	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:27.418225050 CEST	192.168.2.5	8.8.8.8	0xc7cf	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:28.421425104 CEST	192.168.2.5	8.8.8.8	0xc7cf	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:32.535809994 CEST	192.168.2.5	8.8.8.8	0x13e9	Standard query (0)	6.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 31, 2024 18:31:59.570081949 CEST	8.8.8.8	192.168.2.5	0x7da8	No error (0)	6.tcp.eu.ngrok.io	3.69.115.178	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:04.832669020 CEST	8.8.8.8	192.168.2.5	0xb1d3	No error (0)	6.tcp.eu.ngrok.io	3.69.157.220	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:09.648857117 CEST	8.8.8.8	192.168.2.5	0xed89	No error (0)	6.tcp.eu.ngrok.io	18.197.239.109	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:14.801420927 CEST	8.8.8.8	192.168.2.5	0xbde6	No error (0)	6.tcp.eu.ngrok.io	3.68.171.119	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:19.541872025 CEST	8.8.8.8	192.168.2.5	0xe9af	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:24.249608994 CEST	8.8.8.8	192.168.2.5	0xb7d1	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:28.998239994 CEST	8.8.8.8	192.168.2.5	0x209	No error (0)	6.tcp.eu.ngrok.io	3.69.157.220	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:33.712779999 CEST	8.8.8.8	192.168.2.5	0xb2c9	No error (0)	6.tcp.eu.ngrok.io	3.68.171.119	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:39.465054989 CEST	8.8.8.8	192.168.2.5	0xeeb9	No error (0)	6.tcp.eu.ngrok.io	18.197.239.109	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:44.524621010 CEST	8.8.8.8	192.168.2.5	0xdf03	No error (0)	6.tcp.eu.ngrok.io	18.197.239.109	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:49.228413105 CEST	8.8.8.8	192.168.2.5	0x1c53	No error (0)	6.tcp.eu.ngrok.io	18.197.239.109	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:54.203353882 CEST	8.8.8.8	192.168.2.5	0x87b8	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:32:58.976285934 CEST	8.8.8.8	192.168.2.5	0x37bf	No error (0)	6.tcp.eu.ngrok.io	3.69.157.220	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:03.953177929 CEST	8.8.8.8	192.168.2.5	0xa78c	No error (0)	6.tcp.eu.ngrok.io	18.197.239.109	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:08.554533958 CEST	8.8.8.8	192.168.2.5	0xcab0	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:14.300951004 CEST	8.8.8.8	192.168.2.5	0x416a	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:14.301311970 CEST	8.8.8.8	192.168.2.5	0x416a	No error (0)	6.tcp.eu.ngrok.io	3.66.38.117	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:18.995217085 CEST	8.8.8.8	192.168.2.5	0xfe71	No error (0)	6.tcp.eu.ngrok.io	3.66.38.117	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:23.347378016 CEST	8.8.8.8	192.168.2.5	0xee3b	No error (0)	6.tcp.eu.ngrok.io	18.197.239.109	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:28.494524002 CEST	8.8.8.8	192.168.2.5	0xc7cf	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:28.494554043 CEST	8.8.8.8	192.168.2.5	0xc7cf	No error (0)	6.tcp.eu.ngrok.io	52.28.247.255	A (IP address)	IN (0x0001)	false
Jul 31, 2024 18:33:32.542846918 CEST	8.8.8.8	192.168.2.5	0x13e9	No error (0)	6.tcp.eu.ngrok.io	3.66.38.117	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:31:57
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\NYQbqD59m8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NYQbqD59m8.exe"
Imagebase:	0xd80000
File size:	462'848 bytes
MD5 hash:	2D5B4052BA6E888D0A2E8B044BC04651
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010525403.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011344797.00000000064F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011654427.0000000006570000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011075253.0000000006480000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011107103.0000000006490000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010742958.0000000006110000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011264446.00000000064D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011433086.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011207055.00000000064C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010704302.0000000006100000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000000.2051180031.0000000000D82000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011145761.00000000064A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011807561.00000000065B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011177334.00000000064B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011501940.0000000006520000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000002.3005933327.0000000003511000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:31:57
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpAA92.tmp"
Imagebase:	0xd70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:31:57
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:31:57
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAB1F.tmp"
Imagebase:	0xd70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:31:57
Start date:	31/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:31:59
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\NYQbqD59m8.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\NYQbqD59m8.exe 0
Imagebase:	0x8d0000
File size:	462'848 bytes
MD5 hash:	2D5B4052BA6E888D0A2E8B044BC04651
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2129766591.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2129899708.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:31:59
Start date:	31/07/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Imagebase:	0x3d0000
File size:	462'848 bytes
MD5 hash:	2D5B4052BA6E888D0A2E8B044BC04651
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2132484562.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: unknown Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:32:07
Start date:	31/07/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0x670000
File size:	462'848 bytes
MD5 hash:	2D5B4052BA6E888D0A2E8B044BC04651
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.2222973541.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.3%
Total number of Nodes:	288
Total number of Limit Nodes:	16

Executed Functions

Function 018D9540 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f`k, xrefs: 018D9B62
f`k, xrefs: 018D9861

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k$f`k
API String ID: 0-3251778840
Opcode ID: c3f0fc87f31454647a918231130b835e74f5ae00c6ce327c48915b10f20c937f
Instruction ID: 24be05650ffd13957f21ca9a5e965ca68eb3563febf6ff00e8818c6198b33d17
Opcode Fuzzy Hash: c3f0fc87f31454647a918231130b835e74f5ae00c6ce327c48915b10f20c937f
Instruction Fuzzy Hash: 1212CC30E20216CFCB14CF2AD08566EBBF2BF8435CF15856AE056DB295CB799E45CB80

Function 018DBC90 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f`k, xrefs: 018DC2B2
f`k, xrefs: 018DBFB1

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k$f`k
API String ID: 0-3251778840
Opcode ID: 8ae6053f1d92c15940b3c0d82c6a4e5f1af751591c853519fb01156fde940e3b
Instruction ID: 1baeae6b640a2ab75f8e9d6e5feeb2757be33fc6d64411ab97736459acdc9a49
Opcode Fuzzy Hash: 8ae6053f1d92c15940b3c0d82c6a4e5f1af751591c853519fb01156fde940e3b
Instruction Fuzzy Hash: 48128830A0021ACFDB18CF69C48066DBBF2BF89308F15856ED516DB251DB79DE4ADB41

Function 018D23A0 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f`k, xrefs: 018D26C1
f`k, xrefs: 018D29C2

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k$f`k
API String ID: 0-3251778840
Opcode ID: 0e27c947c83751b8daed846e3de652c2e7ab815e2cd6ef2bdb033a6b9ff30280
Instruction ID: a38ca82069edbee31f86bd98df6bcbc1b15f63903c6eb60aaeec669d662cd50a
Opcode Fuzzy Hash: 0e27c947c83751b8daed846e3de652c2e7ab815e2cd6ef2bdb033a6b9ff30280
Instruction Fuzzy Hash: FA129A30A00319CFDB24DF29C5846ADB7F3FB88318F1485AAD416DB2A5DB749E46CB51

Function 018DEF88 Relevance: 2.2, Strings: 1, Instructions: 941COMMON

Download Yara Rule

Strings

r, xrefs: 018DFA3C

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 83a98f25ac7539def01ad4badceed25336ad31bf92b66b32eb4d46a156472b6b
Instruction ID: 1caa4cb6336b1898bd73f2b6b945f41cd838dad91064a1b0b5ab7f4134119ea8
Opcode Fuzzy Hash: 83a98f25ac7539def01ad4badceed25336ad31bf92b66b32eb4d46a156472b6b
Instruction Fuzzy Hash: 3E826A70A00705CFDB15CF69C880A9EBBB2FF88314F158569D61AEB651D730EA86DF90

Function 0578300C Relevance: 1.6, APIs: 1, Instructions: 94
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

bind.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 057830BF

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 51c1ac52516b6930bc978b018385d7cf18f8d36346c7d7f0c630408ee270358b
Instruction ID: 92d66477636d27dd837f187b92779d8b01e52ee09247e726e9192111ba871668
Opcode Fuzzy Hash: 51c1ac52516b6930bc978b018385d7cf18f8d36346c7d7f0c630408ee270358b
Instruction Fuzzy Hash: 0031607550E3C05FD7138B659C54B66BFB8AF07614F0984DBE984CF1A3D229A809CB72

Function 05781897 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05781917

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3487e1185c60957ba3ddfeca9c38d05f8e678c875030e2fc9e485211688b4df6
Instruction ID: 3c5a68c49ef305847ca3a11d21f86783306f8f2ca480fb047a8d69bc6e590265
Opcode Fuzzy Hash: 3487e1185c60957ba3ddfeca9c38d05f8e678c875030e2fc9e485211688b4df6
Instruction Fuzzy Hash: 3A219F75509784AFDB228F25DC44BA2BFB4BF06310F0984DAE9858B163D275E908DB62

Function 0578351A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 0578358A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: a7304e31993d21eacbc04d3c158974a113d524bd04a72dfad3af470f7eac2229
Instruction ID: 936c8cca03d2ad1f1511a66116a22f5219f0de978ab73e9b629f0fae47ebb948
Opcode Fuzzy Hash: a7304e31993d21eacbc04d3c158974a113d524bd04a72dfad3af470f7eac2229
Instruction Fuzzy Hash: C211AF72500204AFEB22DFA6DC44FA6FBE8EF14724F04886AE9458B651D375E5089BB1

Function 05781CB3 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05781D29

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 6287cb57f299d5d3433df9912d8bcc048cad4179a98dfb247232aaf4d2a5e47d
Instruction ID: 6f50a4be50890efff69af0fd51d465a90ddf2bfa522b376c7c205fdb7ae92d26
Opcode Fuzzy Hash: 6287cb57f299d5d3433df9912d8bcc048cad4179a98dfb247232aaf4d2a5e47d
Instruction Fuzzy Hash: FD21C0715097C0AFDB238B20DC45A62FFB0EF17314F0984DBE9848B1A3D265A909DB62

Function 0578305E Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 057830BF

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: f0f62d4984c0b13da75163349d90d04b8654cac7040230268923bf3823a749a7
Instruction ID: 8635286c81f14a20edeba370ce009c2686b04cc1701daf64f758b70f8ee77186
Opcode Fuzzy Hash: f0f62d4984c0b13da75163349d90d04b8654cac7040230268923bf3823a749a7
Instruction Fuzzy Hash: D911B271604204AFEB21DF59DC84FA6B7E9EF04724F18C86AED45CB641D774E408CAB1

Function 05781A19 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 05781A85

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 9aac6b810abb77f20c0bd59ddad5bb80bb0d77115e84b5f18eb1ad9aad262b0d
Instruction ID: 3e3c9c29fbfbe17c13f438714474e42665c5f3778548c0c3fcadb90d2d5d3249
Opcode Fuzzy Hash: 9aac6b810abb77f20c0bd59ddad5bb80bb0d77115e84b5f18eb1ad9aad262b0d
Instruction Fuzzy Hash: 7811D0714093C0AFDB22CF10DC44A62FFB4EF06320F0984CAE9844F263C275A908DB62

Function 057818CE Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05781917

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f6fa60a8f2eb71ce3581659db393777d27c99fc34a9c7b0ddec982100d1ec79a
Instruction ID: 17189626251f9b94c8a13417ac7a87020f46d9c588f1cfdcb3a11a24ded717bf
Opcode Fuzzy Hash: f6fa60a8f2eb71ce3581659db393777d27c99fc34a9c7b0ddec982100d1ec79a
Instruction Fuzzy Hash: EA11A0716042449FDB20DF15D884B66FBE4FF04320F08C4AAED4A8B652D335E418DB61

Function 05781AF2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05781B24

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ad70f8516608cbb3a124be99992f92130c0649b9a94c7148911ca8afd80af0ff
Instruction ID: 6fd5e7195d4fca90e4bbd8836e21545e9a19a8105d183ddd43a6e2a86b720ca3
Opcode Fuzzy Hash: ad70f8516608cbb3a124be99992f92130c0649b9a94c7148911ca8afd80af0ff
Instruction Fuzzy Hash: 8E018B71A042409FDB20DF15D984BA1FFA4EF44320F48C4AADD498F242E379A808DBA2

Function 05781A4A Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 05781A85

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: d50221ebbd7661a4e681a20bba2c4ae16e20dc2e6e18d13f06b6d596e0a05eea
Instruction ID: 126db28997668f6b0360729774b344802ff5a82a497e376dcaeb2b0e930f0167
Opcode Fuzzy Hash: d50221ebbd7661a4e681a20bba2c4ae16e20dc2e6e18d13f06b6d596e0a05eea
Instruction Fuzzy Hash: C00178355403409FDB21DF46D984B61FBE1EF48720F08C4AAED890B652C375A419DBA2

Function 05781CEE Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05781D29

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d50221ebbd7661a4e681a20bba2c4ae16e20dc2e6e18d13f06b6d596e0a05eea
Instruction ID: 6c04819bb4a67230895436b1964d0370d000dfd34ef02f52357c3c3c32231827
Opcode Fuzzy Hash: d50221ebbd7661a4e681a20bba2c4ae16e20dc2e6e18d13f06b6d596e0a05eea
Instruction Fuzzy Hash: 37018B36500A04AFDB21DF05D984B61FBE1FF08320F08C4AAED494B666D375E459DB72

Function 018D3850 Relevance: .9, Instructions: 856COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2c699d098ae8974fc78153f0aa40b193c21fff2265591c921de0939e8183d3
Instruction ID: d0c8e47a67824c88be1e3f4badaf7b3d9cee804b56f6009e401ee395941e4750
Opcode Fuzzy Hash: 6f2c699d098ae8974fc78153f0aa40b193c21fff2265591c921de0939e8183d3
Instruction Fuzzy Hash: A962F5B1A00306CFCB15CF68C4849A9BBB6FF85314B19C5AAD919DF252C731EE45CB92

Function 018DC8E8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa658aa53023c02a46ebd94595a17b437ef09f246d48038c94ed900a423177b
Instruction ID: 977ec4987d48280130a8c7007711273f54a25053383aa545e6d5fc711889c424
Opcode Fuzzy Hash: 9fa658aa53023c02a46ebd94595a17b437ef09f246d48038c94ed900a423177b
Instruction Fuzzy Hash: 99815A32F112199BD714DB6DD880AAEB7E3AFC4314F2A8579E405EB365DB34AD01CB90

Function 018D2FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d0ba6922de7d02e3e4896ea7c9ffa65b0cad7b38ccc7e2a0da1b328559932b
Instruction ID: 5f3f15344674975cb4c5c29ff332a25d0b65f4a71579afd07a116311b89cef9e
Opcode Fuzzy Hash: e3d0ba6922de7d02e3e4896ea7c9ffa65b0cad7b38ccc7e2a0da1b328559932b
Instruction Fuzzy Hash: 4A81C172F112159BD714DB69D880A9EB7E3BFC8314F2A8478E805DB365DF349D018B91

Function 018DC9AF Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afff4c8dca2639e8263b92378b1da41c132aa64e3603c6b628e361e380e0797
Instruction ID: 183c31360d5ad6cf41c337f82606d59e6a6e9ecea0223f614362fbe036e7c491
Opcode Fuzzy Hash: 1afff4c8dca2639e8263b92378b1da41c132aa64e3603c6b628e361e380e0797
Instruction Fuzzy Hash: 2E514B32F111158BE714DB6DD980A9EB7E3AFC4214F2A8168E405EB769DF34ED01CB90

Function 057812C4 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 05781433

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bad725b50941debb0b96c2bfd8355f98b88f69a95f21d7e727fb5f7d6a005e50
Instruction ID: 9f1b7ddd07248e43d903a08a19d5a74b0d13657a4300a2f973accda5cabb078f
Opcode Fuzzy Hash: bad725b50941debb0b96c2bfd8355f98b88f69a95f21d7e727fb5f7d6a005e50
Instruction Fuzzy Hash: FE51C17154D3C06FD7139B608C54FA2BFB8AF57220F0A84DBE884CB5A3D265A909D772

Function 057820B9 Relevance: 1.6, APIs: 1, Instructions: 95
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,00000E24,?,?), ref: 0578217A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: bd00b12dc1d16c77acd8056eb8a035ff8c2811e908f0cfdda5158d6af6f5c8a2
Instruction ID: 897bdf30ce799afcf7198117dd744f5186d3df0c2e7ad2f8415ddc9abe1f04c7
Opcode Fuzzy Hash: bd00b12dc1d16c77acd8056eb8a035ff8c2811e908f0cfdda5158d6af6f5c8a2
Instruction Fuzzy Hash: 8B318E6510E3C06FD3139B218C61A21BFB4EF47610F0E85CBD8C4DB6A3D229A909D7B2

Function 05780736 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 057807E0

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 9e49add6c8bbd162ea26aa9f5a81344b6c5538f1b6271d975da6afc11f90e83d
Instruction ID: 636369065134ad8640e2cac60c2133dae4b2e1fd539add8fe89f00fa8f0989c9
Opcode Fuzzy Hash: 9e49add6c8bbd162ea26aa9f5a81344b6c5538f1b6271d975da6afc11f90e83d
Instruction Fuzzy Hash: 8F31B3715097806FD722CF60DC45FA6BFB8EF06314F08849AE984CB252D235A908D7A1

Function 057811CC Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNELBASE(?,00000E24,?,?), ref: 0578128E

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: a4c80582eba9f97aa482e48798d0aa8a700a4350644d4ca3ac13e65ee37cee00
Instruction ID: d650bbd889d0a315febe6991ef3973f556bebdcaa71fc34a392d48e2a2fc5972
Opcode Fuzzy Hash: a4c80582eba9f97aa482e48798d0aa8a700a4350644d4ca3ac13e65ee37cee00
Instruction Fuzzy Hash: 16317C6150E3C06FD3038B258C61B62BFB4EF47624F0E85DBD8849F5A3D225A919C7A2

Function 05780390 Relevance: 1.6, APIs: 1, Instructions: 93
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,00000E24), ref: 0578045E

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0a01e1ffe5ce77bbd42f057cab9b69b9ffe7fe897e9dabb60bdc87cb79fdf704
Instruction ID: 614cd3d915ab52a011c741f16061d0b41d541acfc4ba81231e6c412709b53654
Opcode Fuzzy Hash: 0a01e1ffe5ce77bbd42f057cab9b69b9ffe7fe897e9dabb60bdc87cb79fdf704
Instruction Fuzzy Hash: 8C31C471004380AFE7228F11CC45FB6FBB8EF06314F04899EF9859B692D375A949CB61

Function 05780D68 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05780E0D

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 886d01887cdbf2816c4f76ae6ac6de37e21f3997ccc739676e4ac6956087537a
Instruction ID: 93956f3e381cb1d9494e1e46ed2e1aca025c1dca4850fdda472dc2498a93b283
Opcode Fuzzy Hash: 886d01887cdbf2816c4f76ae6ac6de37e21f3997ccc739676e4ac6956087537a
Instruction Fuzzy Hash: 63319071505380AFE722CF65CC44F67BFE8EF05624F08889EE9858B652D365E809DB71

Function 014BAA02 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 014BAAB1

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ea4d7f1d5233d8e34a44725e70d6635c6b0e226c53e5bfb8f25f4f69614103fe
Instruction ID: b0188f3a0f1f626bc8c5ebb51b823df5f774f4a949b9f250d043d46027737186
Opcode Fuzzy Hash: ea4d7f1d5233d8e34a44725e70d6635c6b0e226c53e5bfb8f25f4f69614103fe
Instruction Fuzzy Hash: C331B471504384AFE722CB55CC45FA7BFBCEF15210F08889BE9859B652D264E90DCB71

Function 057836DD Relevance: 1.6, APIs: 1, Instructions: 91
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 0578379A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: ed90b8daa5453e649745e1942c212c0ef934d6501d36da7af130c5719e2b9a2a
Instruction ID: 2f498e1916d37265c099bb882574fb954b95f2d6e7dcd3eec4cdd36563be218b
Opcode Fuzzy Hash: ed90b8daa5453e649745e1942c212c0ef934d6501d36da7af130c5719e2b9a2a
Instruction Fuzzy Hash: 7631D17150D3C05FD3038B358C55B62BFB4EF47620F0A85CBD8848F6A3D625A91AD7A2

Function 05781491 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05781534

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 063b8e623ec12da4006bd1fcbb870781a2fe96f69b6f6c55414875479985786b
Instruction ID: 4944de1ef5c16f1f6ed51edc6cab47922c1c9b827b46824f73f6b3331b3a4557
Opcode Fuzzy Hash: 063b8e623ec12da4006bd1fcbb870781a2fe96f69b6f6c55414875479985786b
Instruction Fuzzy Hash: 7431D1715093846FE712CB65DC55FA6BFB8EF47320F0984DAE985CF2A3D224A908C761

Function 057800F6 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0578019D

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: c3d99039606d9c5054bf0403d94346a8e57d5956aa75b8e73721280bdeaaac6b
Instruction ID: c1889ae918aa51fa035cc6f056d821bbffbe15f2ee76bf25f1fec03d45d53933
Opcode Fuzzy Hash: c3d99039606d9c5054bf0403d94346a8e57d5956aa75b8e73721280bdeaaac6b
Instruction Fuzzy Hash: 333193715093806FE712CB65DC45FA6BFF8EF06214F08849AE945CB292D375E908C761

Function 014BAAF9 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 014BABB4

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 41bf9f91a53eef1d49823604ed8692ce43a6eb52d1efb85fea5db6f4497ad374
Instruction ID: 842f4ad9189907f7dbc8a43565afa875dd4925f333a48c12b7c0a95dc2fe65fe
Opcode Fuzzy Hash: 41bf9f91a53eef1d49823604ed8692ce43a6eb52d1efb85fea5db6f4497ad374
Instruction Fuzzy Hash: 6A3175755093846FD722CB65CC84FA3BFB8EF06614F18889AE945CB263D264E548CB71

Function 057831F7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 0578329D

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: e3775d7d99d213cda943dfff498754127ff6ba3d1a81d66f254a10ef7db2a429
Instruction ID: ce0b813b41f6d8494a5ac3087294a68c34ffc23c92ffe4fc118145b1641c1b79
Opcode Fuzzy Hash: e3775d7d99d213cda943dfff498754127ff6ba3d1a81d66f254a10ef7db2a429
Instruction Fuzzy Hash: 5131A071509384AFD722CF65DC55FA6BFB8EF06314F0888DAE9848B163D325A908C772

Function 057804AB Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 0578055C

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 71c853dcfea53de6e9a7288cf5229d9e1053efd936e4489cad045acff4c9a6c5
Instruction ID: 5aeeeaf88b8e6b88038dd64f5831bd968c7414d411fe9376ea3bf53414daca3f
Opcode Fuzzy Hash: 71c853dcfea53de6e9a7288cf5229d9e1053efd936e4489cad045acff4c9a6c5
Instruction Fuzzy Hash: 7631B675109380AFD722CB61DC44FA2BFF8AF06210F0984DAE9858B563D324E80CD771

Function 05780E64 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05780EF9

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2edb651bd7f74b0fced7506a209e752acc460f4126cc9cd1f60ab7ca3382d3e6
Instruction ID: 3b0a9c8d6dfaa711c6e3a3b66b0b81dd39916bdddc485d07667fb65d3e47da18
Opcode Fuzzy Hash: 2edb651bd7f74b0fced7506a209e752acc460f4126cc9cd1f60ab7ca3382d3e6
Instruction Fuzzy Hash: 8E21F5B55093806FE7138B219C45BA2BFBCEF47720F09C4DAE9808B293D264A909D771

Function 05783401 Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05783496

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 8b11c19b4b66628fc285e16cfce1bc1aec6a9ef88c18297d271a0e22cf154595
Instruction ID: d7a9e9b2ec51c7cc3a535c610bced9ae282b294fb63f6549eb92d10d76454de4
Opcode Fuzzy Hash: 8b11c19b4b66628fc285e16cfce1bc1aec6a9ef88c18297d271a0e22cf154595
Instruction Fuzzy Hash: 0F21BF71504344AFEB228F51CC44FA6BBBCEF55224F04889AE9858B652D325E808DB71

Function 057813B6 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 05781433

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e33333f012f4e9069c373218faa5cfb6fbfc370f29e02ad07200340a7655157c
Instruction ID: fdec545c103c4d228edb1f63c57db360d7012df385f95443fd0cb27c74cac232
Opcode Fuzzy Hash: e33333f012f4e9069c373218faa5cfb6fbfc370f29e02ad07200340a7655157c
Instruction Fuzzy Hash: B821ED72500204AFEB21DF65DC44FABBBECEF14324F04886AE945CBA51D374E408DBA1

Function 05781D68 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,00000E24,?,?), ref: 05781E0A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: b941f483b5438cea7146ad67ef8ddbf55a95fdd93c30b49b0655660ce87987d4
Instruction ID: ef2a153f3d5d245ad0cf73be050aaa90b5d3cbed77a284fa4ed636cc5da89b6b
Opcode Fuzzy Hash: b941f483b5438cea7146ad67ef8ddbf55a95fdd93c30b49b0655660ce87987d4
Instruction Fuzzy Hash: C021957150D3806FD3138B259C51B62BFB4EF87620F0A85DBE8849B653D224A919C7B6

Function 057802AB Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E24), ref: 05780353

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b9aee0be0aceed16610a07c830b1e87f5e9b2204b3450a5ed69b84caf39637fa
Instruction ID: 28e345da48ff4e322e1a8d1a2a9daa8ce041ec3139ff08b81f14b53527dc66f7
Opcode Fuzzy Hash: b9aee0be0aceed16610a07c830b1e87f5e9b2204b3450a5ed69b84caf39637fa
Instruction Fuzzy Hash: BA21E5750093806FE7228F10CC44FA6FFB8EF06310F0884CAE9849B2A2D365A909DB71

Function 05782932 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 057829C6

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 8be3d45ffabf53c996f42c7b30f4418f313f857e1b297840b22eb31ec297ac44
Instruction ID: c6c37ec9b10772fda6e4a8634c079b017331cbb188056ab2a082a545ce5967f2
Opcode Fuzzy Hash: 8be3d45ffabf53c996f42c7b30f4418f313f857e1b297840b22eb31ec297ac44
Instruction Fuzzy Hash: 3E21BF71505380AFE722CF55CC45FA6FBF8EF19224F08849EE9858B252D365E908CB62

Function 057834FA Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 0578358A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: e1144333a08f2a8e1323b8b9b029e4aca2f8f32e3f7a11610196512e50d21464
Instruction ID: f7a56debe8bc90ece9c731aaf2753048a5446d7190b3d385390bbb58d93ed255
Opcode Fuzzy Hash: e1144333a08f2a8e1323b8b9b029e4aca2f8f32e3f7a11610196512e50d21464
Instruction Fuzzy Hash: 38219072505344AFDB22CF51CC44FA7BBB8EF55224F08889AE9859B652D335E508CBB1

Function 057821A6 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05782232

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 413032a12fce55b07bf7b4bca5f1674ec43603b3ab8846cc39cab84f690128f9
Instruction ID: 5d38f2edde1d77ed9356cede2442d1c231dedef2989234b146f81ca74013f6e1
Opcode Fuzzy Hash: 413032a12fce55b07bf7b4bca5f1674ec43603b3ab8846cc39cab84f690128f9
Instruction Fuzzy Hash: 23218D71509380AFD722CF51CC44FA6FFB8EF05324F08889EE9858B652C365A808CB62

Function 014BAF50 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 014BAFEA

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 82d2f8778716adcd5aa0254929cfd388297908dcae208eac251dce0940e1201c
Instruction ID: 8e89d79fc324c75cb283228b6164533cd0b2f3bb54712f712570abe66a6a37fc
Opcode Fuzzy Hash: 82d2f8778716adcd5aa0254929cfd388297908dcae208eac251dce0940e1201c
Instruction Fuzzy Hash: CE2195715093C06FD3138B259C51B62BFB4EF47614F0A81DBE884DB653D224AD19C7B2

Function 05780D8E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05780E0D

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7fc19ccbb8d5bcacc55f0ab1518493965595b23bdc8023e616ce853cca61c7bc
Instruction ID: 061d86b21d61c1bb63f9b1997455762ac693d8a3abfba2ff0e508ff42120e5b2
Opcode Fuzzy Hash: 7fc19ccbb8d5bcacc55f0ab1518493965595b23bdc8023e616ce853cca61c7bc
Instruction Fuzzy Hash: 25219C71604200AFE721EF65CD84F66FBE8FF08724F088869E9858B651D371E408DB71

Function 05780F34 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05780FC5

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4e6ccb5489cc09a4b0729d74f7967b7123296cd3050aeff91153c59530592393
Instruction ID: ab17f090b479c88bf99220ce5b5379ed1f5125fd36a9bfc05ee2a6b8fa1e5e7f
Opcode Fuzzy Hash: 4e6ccb5489cc09a4b0729d74f7967b7123296cd3050aeff91153c59530592393
Instruction Fuzzy Hash: 5C219D71509380AFD722CB61DC44FA6BFB8EF56314F08849BE9858B653C225A809CB72

Function 05781716 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05781796

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6a75c20af4803b71d1586e41b6c532fb84ed95f2c92708c374e9d282c0c8102f
Instruction ID: 2523c99c38af39fabd07ff3d961a70c64e4ecd1721496da8dfc32538f814b818
Opcode Fuzzy Hash: 6a75c20af4803b71d1586e41b6c532fb84ed95f2c92708c374e9d282c0c8102f
Instruction Fuzzy Hash: C82190725093C05FD712CB25DC95BA2BFF8EF06210F0984DEE885CB653D225E809D761

Function 057810ED Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05781184

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 47d7d46a61b6bfdade2b1d2895d565528128c4f87394263a8fe602ee62a09046
Instruction ID: 4aa4280accb4293d1b247c1b93bdd32484a50feb4f0ce204522b4c526287903e
Opcode Fuzzy Hash: 47d7d46a61b6bfdade2b1d2895d565528128c4f87394263a8fe602ee62a09046
Instruction Fuzzy Hash: 6B21C1B2504340AFE722CF11CC44FA7BBB8EF15210F08859AE9459B692D324E808CB71

Function 057803CA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E24), ref: 0578045E

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c03172164d08b220f5086caf5a4f28dec578bd6f2f6bc31e79ef2c8d1d9aa836
Instruction ID: 405a976a8b4ec95b15cfe009f99d8f77aacdfaaa04a62bc47a132e01067020a8
Opcode Fuzzy Hash: c03172164d08b220f5086caf5a4f28dec578bd6f2f6bc31e79ef2c8d1d9aa836
Instruction Fuzzy Hash: DB21FF72140200AEEB31DF11DC84FB6F7A8EF04324F04886AFA459A691D7B5E90CDBB1

Function 014BAA32 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 014BAAB1

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f719dba7ee97187b29de1522e028d33f6a594bdf6fda43880a8792177b1bd9dc
Instruction ID: 11e874f1fee9cb18c223da42608212af2465cba5bba6786c1806bda92d44c334
Opcode Fuzzy Hash: f719dba7ee97187b29de1522e028d33f6a594bdf6fda43880a8792177b1bd9dc
Instruction Fuzzy Hash: 5821CF72500204AEE721DF55CD84FABFBECEF18224F14C85AE9459B652D734E8088AB1

Function 0578012A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0578019D

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 133a585a4c133ab4d7dee3d47bd6576bd7d4d5958c9b97b3ed685cde5b8aa690
Instruction ID: 02ef09bce4045b7e7e0bf6f17c98d6be7983458c96ea316e8af59a0500a0f7ca
Opcode Fuzzy Hash: 133a585a4c133ab4d7dee3d47bd6576bd7d4d5958c9b97b3ed685cde5b8aa690
Instruction Fuzzy Hash: 45218071604240AFE720DF65DD49BAAFBE8EF05224F04846AE9458B741D775F908CA61

Function 0578100F Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05781092

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: ce381c10b42c9435c6e2baa0dbc806b9bff6f315f6741fb3b24118819af30082
Instruction ID: b504faabf825e2eb223a7e32beaed3a1b75e93c7231eb10a9437d8c0bb4aba6d
Opcode Fuzzy Hash: ce381c10b42c9435c6e2baa0dbc806b9bff6f315f6741fb3b24118819af30082
Instruction Fuzzy Hash: 062192B16093C05FDB22CB25DC54BA2BFE8EF06324F0984DAED85CB653D225E804DB61

Function 05780C97 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05780D13

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 714533cf86bc1dc4d224b6411857d7839768f21238ed5cf6c373eb5bfa6defa2
Instruction ID: 3bed350cf86c975763f9974bc27ad866ea10cc189db7d94195a641c8efbd56ba
Opcode Fuzzy Hash: 714533cf86bc1dc4d224b6411857d7839768f21238ed5cf6c373eb5bfa6defa2
Instruction Fuzzy Hash: C42171B55493809FD711CF25DC55B62BFF8EF06210F0984DAE845CF263D264E909DB61

Function 05781597 Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E24), ref: 05781623

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2d0e1fbae63cd75383a731b383be8c6123f4d8e34ecc18fec31d4b89c2ff268c
Instruction ID: b15b2ed8cee552053896f3a0d567ea1d472867855ebffecee06357f6f020a9e3
Opcode Fuzzy Hash: 2d0e1fbae63cd75383a731b383be8c6123f4d8e34ecc18fec31d4b89c2ff268c
Instruction Fuzzy Hash: 3B21C371605380AFE721CF55DC45FA6BBB8EF05720F08809AF9459B292D3A4E948CB61

Function 05780776 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 057807E0

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5332c7b78ba40340501f89b2aea2113708cbcb77051f2a3d014da5bf3ce11024
Instruction ID: cb8e97217c55d3a580fbcf93b4b33b9b7cf57baa9b19f8b9805b0b05e1d66095
Opcode Fuzzy Hash: 5332c7b78ba40340501f89b2aea2113708cbcb77051f2a3d014da5bf3ce11024
Instruction Fuzzy Hash: 7711AF72600204AFEB21DF65DC48FBAB7ECEF14324F04886AE945DB651D774E4488BB1

Function 014BAB3A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 014BABB4

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1ce69d156d22b5cde3f47cc2d517f0ca03535d202e9fa69e41fee6060c8e7c3e
Instruction ID: 4f97c8bac5dde471f77dd6a46df4410a5c19ca440ee0cbb6d3d32dee722faf44
Opcode Fuzzy Hash: 1ce69d156d22b5cde3f47cc2d517f0ca03535d202e9fa69e41fee6060c8e7c3e
Instruction Fuzzy Hash: 06218176604204AFE721CF55DC84FA7F7ECEF14620F14896AEA458B761D774E408CAB1

Function 05781964 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 057819D0

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d6da8fe6c86702c17ad27460fd3427cd54d5b2140ba8565b484f0d6338d1ae06
Instruction ID: 87e01da9925cdfe2724e5edbe05727b7906a7bc40fbafcd08736a68e2897d523
Opcode Fuzzy Hash: d6da8fe6c86702c17ad27460fd3427cd54d5b2140ba8565b484f0d6338d1ae06
Instruction Fuzzy Hash: C221C0725093C05FDB12CB25DC94A92BFB4AF07324F0D84DBEC858F663D264A908DB62

Function 05782952 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 057829C6

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7e22d2374beee8109830b7590895c4ea086589e3ce3a39e6e6fd962384c78977
Instruction ID: db31ce9fdb5a9c60f1c2094c45545f1db19ab505cfe892e4c3e87671419fe4ae
Opcode Fuzzy Hash: 7e22d2374beee8109830b7590895c4ea086589e3ce3a39e6e6fd962384c78977
Instruction Fuzzy Hash: 6121DE71500200AFE721DF55CC45FA6FBE8EF18324F0484AEE9458B652D375E508CBA2

Function 05783426 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05783496

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: a7304e31993d21eacbc04d3c158974a113d524bd04a72dfad3af470f7eac2229
Instruction ID: 0e78325d09323f4ebd9216185da27a64aa07108bea73463327be780f3da3c50a
Opcode Fuzzy Hash: a7304e31993d21eacbc04d3c158974a113d524bd04a72dfad3af470f7eac2229
Instruction Fuzzy Hash: DE11AF72500204AFEB22DF95DC44FBAFBE8EF14724F04C86AE9458B651D335E4089BB1

Function 057821C6 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05782232

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 56f4058b0a999062e10c02ad55bf25d24e6702c3357c22cefe31ef00332e92e9
Instruction ID: 72cb2b1b65e0a33e5b7c9da9f5dd75f7563330461d1f30834a2a5ed25b309c2e
Opcode Fuzzy Hash: 56f4058b0a999062e10c02ad55bf25d24e6702c3357c22cefe31ef00332e92e9
Instruction Fuzzy Hash: 9E21CD71504200AFEB21DF65DD44FA6FBE8EF08324F04886EE9468B652C375E408DB62

Function 057801F4 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05780264

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 74a3a69824c0b51f7fa3f1ab68014a31fc4c1f1c4a08bbad44832d3976883cb5
Instruction ID: ac3ba91e92b4727a38c77cebac8319b65b15d767adc94218fd378391354c7439
Opcode Fuzzy Hash: 74a3a69824c0b51f7fa3f1ab68014a31fc4c1f1c4a08bbad44832d3976883cb5
Instruction Fuzzy Hash: 3421D2B15093809FD712CF25DC85B62BFB8FF42324F0984AAEC858B653D335A909DB61

Function 05781112 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05781184

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d1f44f70f2fd3f96b649c52cecc4bf61b792a81594a7f66fdb47fc8c356df0de
Instruction ID: 6a5757035ff6542c8b7f21a8aa228e19cdd48d574761b6286acdc30bdb58c851
Opcode Fuzzy Hash: d1f44f70f2fd3f96b649c52cecc4bf61b792a81594a7f66fdb47fc8c356df0de
Instruction Fuzzy Hash: E211AC72A00200AFE721DE55DC40FB7BBE8EF14620F08856AED468B741D764F809DAB1

Function 057804EA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 0578055C

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1c29dc5e6fa392f1bd303bcb3937ab8eaae9e436d535136a5e029cd26aef8de2
Instruction ID: f2f0f4099d9705add7f489c44d54f430ad25bec57415dba5e46dcf5bc836df1f
Opcode Fuzzy Hash: 1c29dc5e6fa392f1bd303bcb3937ab8eaae9e436d535136a5e029cd26aef8de2
Instruction Fuzzy Hash: DC11AF76500600AFE721DF56DC44FA6F7E8EF14720F08C46AE9468B651D364E40CDAB1

Function 05783236 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 0578329D

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 8226e3836837629074cc7ce783745765bc4f87ef0b09702711893fdb689e2c43
Instruction ID: c21d07130723027c5de41165277b34dced28676b840634ecc03b8b53a8fd1aa0
Opcode Fuzzy Hash: 8226e3836837629074cc7ce783745765bc4f87ef0b09702711893fdb689e2c43
Instruction Fuzzy Hash: AF11BE71600204AFEB21DF59DC44FA6BBE8EF04724F04C86AED458B651D334E408DBB1

Function 05781667 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 057816DA

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: fbbefe3dc6c12512168f1b70640200bcca7080982cc380655a25953c9439d319
Instruction ID: 3bd8e1a7a9d6c1b26f270ec5ddc01f9e5ffa4e40fb0965f1dcfddf184932b796
Opcode Fuzzy Hash: fbbefe3dc6c12512168f1b70640200bcca7080982cc380655a25953c9439d319
Instruction Fuzzy Hash: 8F21A2755093805FD7228F25DC44A62FFB4EF06224F0984DFED858B263D265A849DB61

Function 057814DE Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05781534

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 721d01cfc647c372eee8af51fa16385e16f1d943006bb170d88d25dbf3e7e76b
Instruction ID: cb5770004c3746051a477f6e225bbc50e2cf39e4dd8ce561cb9eb0af6a145083
Opcode Fuzzy Hash: 721d01cfc647c372eee8af51fa16385e16f1d943006bb170d88d25dbf3e7e76b
Instruction Fuzzy Hash: 0311E371600200AFEB21DF56DC45FBAB7A8EF04324F08C4AAED05CB641D774E908CBA1

Function 014BA51F Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BA58A

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ba74e0ca0b1ef9f9252f192a7667ceb1930ec836d7f11b8b329e7de520f89180
Instruction ID: f87d3ecd4049f91e61a5b7789cac7295f79e2858d9c208a13dcbe9b52fb86deb
Opcode Fuzzy Hash: ba74e0ca0b1ef9f9252f192a7667ceb1930ec836d7f11b8b329e7de520f89180
Instruction Fuzzy Hash: 07117271509380AFDB228F55DC44A62FFF4EF4A320F08889EED858B663D375A518DB61

Function 014BB7CA Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 014BB841

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 271ec46f88015222c93ea18858e30adedd4b1bc5e39f86184d8859ef564308ef
Instruction ID: e591782c030a5135f8d15a795ce16216fe7ba9155faf5dddda59cc8298d81662
Opcode Fuzzy Hash: 271ec46f88015222c93ea18858e30adedd4b1bc5e39f86184d8859ef564308ef
Instruction Fuzzy Hash: 8C219D714097C09FDB238B25DC54AA2BFB0EF07220F0D84CAEDC54F263D265A958DB62

Function 05780F66 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05780FC5

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4fbad2c2f0020a3d04f62f65bc516ad32eeb16e1a6a29cbaf76327e75084ced4
Instruction ID: 23dc09fcbbacc4f291d1c2fa7fbc73e9d726c17f4069782b074dd765f72cb99b
Opcode Fuzzy Hash: 4fbad2c2f0020a3d04f62f65bc516ad32eeb16e1a6a29cbaf76327e75084ced4
Instruction Fuzzy Hash: B2119A72500200AFEB21DF55DC44FAAFBA8EF14324F08C8AAE9458B651C375E508DBA2

Function 05781C08 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,7D740ACF,00000000,?,?,?,?,?,?,?,?,6C8D3C58), ref: 05781C6A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 30665f980b34575b5fbc118b739869f02ea775c4b0e50e0d7d5552f2c4162473
Instruction ID: 2d9d6ed4049b6b707b44108e1ce852f2531d1b3608cde456b54cf6e5e55a425f
Opcode Fuzzy Hash: 30665f980b34575b5fbc118b739869f02ea775c4b0e50e0d7d5552f2c4162473
Instruction Fuzzy Hash: 8D1172715093809FD721CF65DC44B62BFF8EF45220F0984AAE945CB252D335E808DB61

Function 057802DE Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E24), ref: 05780353

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d977b2ddfc2b18d03cd31cfb60baa0e0d83d076446cfed5f923b906fa4915e2d
Instruction ID: 0797eda8314f7c1955b5791bc4b03bc3f49b210187d62ec68189435d233fa81b
Opcode Fuzzy Hash: d977b2ddfc2b18d03cd31cfb60baa0e0d83d076446cfed5f923b906fa4915e2d
Instruction Fuzzy Hash: 3B11BF75100600AFEB31DF11DC45FB6FBA9EF14724F04849AFD455AA91C375E908DBA1

Function 057815BA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E24), ref: 05781623

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8d73f71222b5c03307ed968f00b6bd9db30242696b5ffa20e955929e5e8ba2c9
Instruction ID: 88a52c47a23d517b0bcbcd391a0b67ea0d9d19b491f7b06cb8a1cf2dfb8b88ed
Opcode Fuzzy Hash: 8d73f71222b5c03307ed968f00b6bd9db30242696b5ffa20e955929e5e8ba2c9
Instruction Fuzzy Hash: 6D11E071240200AEEB20DF15DC85FB6B7A8DF04720F08C0AAFD459B781D7A4E808CA61

Function 014BBB4F Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 014BBBB9

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 35b09f09ec0ea28a11b098063589028ebf53837dc545991aeeab26f66253514b
Instruction ID: fe3a0239a927e12a6a1ec6fd3d118776ad86346b8a9f97a1991e311788997303
Opcode Fuzzy Hash: 35b09f09ec0ea28a11b098063589028ebf53837dc545991aeeab26f66253514b
Instruction Fuzzy Hash: 0B11D3755093C0AFDB228F25DC45A52FFB4EF06220F0888DFED858B663D275A818DB61

Function 014BBE05 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 014BBE70

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 87124437207da2624cd3705d7ca82ee512068253ad6c0e47548ce6e431b53c40
Instruction ID: 9985bf65f11c55c3903f32a1d989fc08fe39a0bf3306cb56c11591b17a075ce3
Opcode Fuzzy Hash: 87124437207da2624cd3705d7ca82ee512068253ad6c0e47548ce6e431b53c40
Instruction Fuzzy Hash: F0113D754093C0AFD7138B159C44662BFB4DF47624F0984DAED854F263D2756808DB62

Function 014BB71E Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 014BB78A

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 04e8fae892ec1132f96bb5728e4b8854a9dd34af35f7cec92dac67ddf890fcf9
Instruction ID: 149b0f7e4b0177eaab6a8fc09c91b8ac50f89083e7efb85d3357aefe84baccf4
Opcode Fuzzy Hash: 04e8fae892ec1132f96bb5728e4b8854a9dd34af35f7cec92dac67ddf890fcf9
Instruction Fuzzy Hash: B8117271509380AFCB22CF55DC84A52FFF4EF4A320F09899EED858B662C375A418DB61

Function 014BBEB4 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 014BBF0C

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1d006cfe0f4c51ec1f261aeb9791f9d6d2501d23d5c527ced5e7a9f9e8df74a0
Instruction ID: a3e9fefdbcc113e084acc17a5bd5f20c9cdbe8416d3d9241d364ab7244970184
Opcode Fuzzy Hash: 1d006cfe0f4c51ec1f261aeb9791f9d6d2501d23d5c527ced5e7a9f9e8df74a0
Instruction Fuzzy Hash: D01151716053809FD721CF29DC85B97BFE8EF46220F0984AAED45CF262D275E848CB61

Function 05781AC3 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05781B24

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 06d5c37a092add5b6406e7882882f35f1ce35646c8c73597122a6da8a138f8cb
Instruction ID: 8f13e677044bcd097fd27e8724e1f1dc95e546a9ccf8548dada4a198bbbdb34e
Opcode Fuzzy Hash: 06d5c37a092add5b6406e7882882f35f1ce35646c8c73597122a6da8a138f8cb
Instruction Fuzzy Hash: 751190715093C05FDB12CB24D854AA2BFF4EF47220F0D84DADC858F263D235A809DB61

Function 014BA75B Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 014BA7BC

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 826164a73ada34b591fe8c0094f7a5f1f008d7184e24c994040ebe33099263b0
Instruction ID: b441090634115bd01affddf51496c6d20c05ca3b7aebdff076672167e424f811
Opcode Fuzzy Hash: 826164a73ada34b591fe8c0094f7a5f1f008d7184e24c994040ebe33099263b0
Instruction Fuzzy Hash: FE115E715493849FD712CB15DC84752BFB4EF46224F1884DBED858B253D275A848CB62

Function 0578104A Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05781092

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c495262427efeff5073b7708e19c46034e60df4a016504eabfa84bb14cc87dd5
Instruction ID: d43c5d6c025c5b9e46cf1640125031c3f92cf0053d5f1b2dcebe61d7ec348779
Opcode Fuzzy Hash: c495262427efeff5073b7708e19c46034e60df4a016504eabfa84bb14cc87dd5
Instruction Fuzzy Hash: A7115275A042409FDB20DF2ADD45B66FBE8EF04220F08C4AADD46CB741D775E405DB61

Function 0578174E Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05781796

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c495262427efeff5073b7708e19c46034e60df4a016504eabfa84bb14cc87dd5
Instruction ID: 6dd2463ba90908859b8e60cf43633d30b851f94d742a3633f913c8c658e9f069
Opcode Fuzzy Hash: c495262427efeff5073b7708e19c46034e60df4a016504eabfa84bb14cc87dd5
Instruction Fuzzy Hash: DD118E756046449FEB20DF2AD884B66FBE8EF04220F0884AEEC4ACB742D334E404DB61

Function 05780CCE Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05780D13

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f655870216633df8c50e8175e12409023371b496e2219db5d78bd14fb6db94ae
Instruction ID: f9f8e7c9c1c37f90c39c38c3774df627a520b916c95de95ab11637a8184124f5
Opcode Fuzzy Hash: f655870216633df8c50e8175e12409023371b496e2219db5d78bd14fb6db94ae
Instruction Fuzzy Hash: 55115B756442049FDB20DF2AD989B66BBE8EF04320F08C4AAED49CB652D774F408DB61

Function 05780EA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,7D740ACF,00000000,00000000,00000000,00000000), ref: 05780EF9

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7eff6ba9a2e24d7171a37946a71cd8502b29a57488f5f3d7e2c9673d7dee7c40
Instruction ID: 3ded2c9c88417edc181435a12ad9fb596461657f8272f640fb28e8cc4faa891c
Opcode Fuzzy Hash: 7eff6ba9a2e24d7171a37946a71cd8502b29a57488f5f3d7e2c9673d7dee7c40
Instruction Fuzzy Hash: 1C01C0B1544200AEE721DB15DC89FB6B7A8EF54724F08C0AAED058B781D378E9088AA1

Function 05781C2A Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,7D740ACF,00000000,?,?,?,?,?,?,?,?,6C8D3C58), ref: 05781C6A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 23412dfaa4c5836c143522d7cf56a493251fb977740beba9c2012643760b9242
Instruction ID: 412165496d3f0036f8f2cc892e29b21b4b98711437de2819793547ef6f68d58a
Opcode Fuzzy Hash: 23412dfaa4c5836c143522d7cf56a493251fb977740beba9c2012643760b9242
Instruction Fuzzy Hash: CD1184756042049FDB21DF26D884BA6FBE4FF44320F08C4AADD4ACB651D775E408DB61

Function 014BA8CC Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 014BA926

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 982744dd644a030f8a923466dba5df64c33fcb3fed2e6ec33bb5bc324804c653
Instruction ID: 7174035e491405f1c2cf6f9195513ae6e6f545ec2d8df2341952922a80383300
Opcode Fuzzy Hash: 982744dd644a030f8a923466dba5df64c33fcb3fed2e6ec33bb5bc324804c653
Instruction Fuzzy Hash: 7E117C75509784AFC7228F15DC85A52FFB4EF46220F09849AED854B263C275A818DB62

Function 0578374A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 0578379A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d75165ec1a49011e31190ac36053669547e21d594c288f1decaae4a4454ca1c2
Instruction ID: a749206ff695e49cbee93f080772aba37142d8202bf22fb1f7ca7e965c95386d
Opcode Fuzzy Hash: d75165ec1a49011e31190ac36053669547e21d594c288f1decaae4a4454ca1c2
Instruction Fuzzy Hash: 510171B1600200ABD310DF16DC45B66FBE8FB88B20F14855AED099B741D731F955CBE5

Function 0578123E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E24,?,?), ref: 0578128E

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: e803edcbd5a6f81f44cf89d82433fb5e1ad854f2a3355cdee9aead8b03dae82b
Instruction ID: ce23e11b424623338d74085935c46bda5d62c07d3020aebed761f1eb2247e1ce
Opcode Fuzzy Hash: e803edcbd5a6f81f44cf89d82433fb5e1ad854f2a3355cdee9aead8b03dae82b
Instruction Fuzzy Hash: 420171B1600200ABD310DF16DC45B66FBE8FB88B20F14855AED499B741D731F955CBE5

Function 014BBED2 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 014BBF0C

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cd816e00c8e1828788d8485814fd7424bffaaaad9253a0fd4c9d5c1e85396249
Instruction ID: 1a3f98eb63de70282eb2e5e11c349d66d453a233206ed707409f43b0e4da60a9
Opcode Fuzzy Hash: cd816e00c8e1828788d8485814fd7424bffaaaad9253a0fd4c9d5c1e85396249
Instruction Fuzzy Hash: 2A0152716042409FDB20DF2AD9857A6BBD4DF04220F08C4ABED45CB752D775E404CF61

Function 0578169A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 057816DA

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: 46df4d5c322d4a0501c66a6ef7f33a568aed747fe3e1fa13505fe77651c92787
Instruction ID: eb7c5906ec5ad474d80cc3d2acffbc0b7844feca62708eb1f6deaff9cdb2c2b4
Opcode Fuzzy Hash: 46df4d5c322d4a0501c66a6ef7f33a568aed747fe3e1fa13505fe77651c92787
Instruction Fuzzy Hash: 2E019E756006008FEB20DF16D884B76FBE8EF04320F08C4AAED458B652D775E848DB61

Function 014BB746 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 014BB78A

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b627f946186ef9f78452106144603ba70e2451464a065380b0f4048957039bf5
Instruction ID: c8fc06a40c1018218e8bd04da2591c8bf5a05d2fa4bbdf48638708266f697f9e
Opcode Fuzzy Hash: b627f946186ef9f78452106144603ba70e2451464a065380b0f4048957039bf5
Instruction Fuzzy Hash: 5B015E355046009FDB21CF55D984B96FBE0EF08320F0889AEED854B622D375E418DB61

Function 014BA546 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014BA58A

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a6149b06de28187977d0aff65ee108ba4c7cc611baa028695e72f00073b76a21
Instruction ID: cb4d5ac7d385d64ee28c9d602e7b2e90178792d677ee413f6fd335f88ec3b190
Opcode Fuzzy Hash: a6149b06de28187977d0aff65ee108ba4c7cc611baa028695e72f00073b76a21
Instruction Fuzzy Hash: 6D016D325046009FDB21CF55D984B56FBE0EF08320F18C9AAED494B662D375E518DF62

Function 05780232 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05780264

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7587320aaf920a645f8257652dc6bc4b1fe5e715dc344256dab746ecf51b8790
Instruction ID: 6ab6662f6a63ad2ac06b33f9e3b1538f247e0b5b760e5c50e888ce443d3bc01d
Opcode Fuzzy Hash: 7587320aaf920a645f8257652dc6bc4b1fe5e715dc344256dab746ecf51b8790
Instruction Fuzzy Hash: BC01B1756042009FDB10DF15D988B65FBA4EF41320F08C4AADC458B642D375E408DA61

Function 0578212A Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E24,?,?), ref: 0578217A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 09946ef62a23867da7b04bfc8cf631d53f3f5c26a62166ae73ba475412d13cbe
Instruction ID: 1590e5c1e7e149921f3375272e97d5db1603c8aa776b3096a8b7058af047686b
Opcode Fuzzy Hash: 09946ef62a23867da7b04bfc8cf631d53f3f5c26a62166ae73ba475412d13cbe
Instruction Fuzzy Hash: FC01A271600200ABD310DF16CC46B66FBE8FB88A20F14C11AEC089BB41D771F955CBE5

Function 05781DBA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,00000E24,?,?), ref: 05781E0A

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 091eb9734bafe77b95c3c7a4ced620c0b8379a11b5e6344f97bad1d95739160f
Instruction ID: 3c8e4a0fde10a7ecd38a5083da532fc8057aeacf13199dcd9af8cb7841401744
Opcode Fuzzy Hash: 091eb9734bafe77b95c3c7a4ced620c0b8379a11b5e6344f97bad1d95739160f
Instruction Fuzzy Hash: 33016DB1600600ABD310DF16DC86B66FBE8FB98A20F14C15AED089BB41D771F955CBE6

Function 0578199E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 057819D0

Memory Dump Source

Source File: 00000000.00000002.3008150785.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5780000_NYQbqD59m8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b096659a3acc36f6f7e9f6e084366ee187f9a3b55e51e6f450c90c3453530d4b
Instruction ID: 147538b95e82955b5acc59a9523d749de0fdbc815252afec5fd7c23cd58a61f1
Opcode Fuzzy Hash: b096659a3acc36f6f7e9f6e084366ee187f9a3b55e51e6f450c90c3453530d4b
Instruction Fuzzy Hash: 55017C756046409FDB10DF29D985B66BBE4EF44220F08C4AADD4A8B652D375E408DF62

Function 014BAF9A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 014BAFEA

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 16debc2d1824b87bd1da9340f876239868c75fa00badc2b0a76bb11f7d1ffe09
Instruction ID: 214c8503c26f2f3cf310030b284cbe0d99dc54ab0e93b57cf13d6811d97114a3
Opcode Fuzzy Hash: 16debc2d1824b87bd1da9340f876239868c75fa00badc2b0a76bb11f7d1ffe09
Instruction Fuzzy Hash: E5016DB1600600ABD310DF16DC86B66FBE8FB88A20F14815AED089BB41D775F955CBE6

Function 014BBB7E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 014BBBB9

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3f968ac8bd9182b3889bfad7180372983b4b3a8b648d15f31cd7a2b238740e31
Instruction ID: 207629aaddacbf3279850bbae41196583b6d9199455ab408a399c0653433949a
Opcode Fuzzy Hash: 3f968ac8bd9182b3889bfad7180372983b4b3a8b648d15f31cd7a2b238740e31
Instruction Fuzzy Hash: F001B1365042009FDB318F1ADC84BA6FBE0EF04220F08C4AEED464BB66C375E418CB61

Function 014BA78A Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 014BA7BC

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 461d87ea34f7133ed72d96d6ccbab0db375a09c44a54f7642257144470b6b547
Instruction ID: 2c23624ef8e8aecb31e8aa192642ba1aec7bdf29b40e0425b8a181a84a4da835
Opcode Fuzzy Hash: 461d87ea34f7133ed72d96d6ccbab0db375a09c44a54f7642257144470b6b547
Instruction Fuzzy Hash: 05018F755082409FDB10CF19D9847A2FBE4EF04220F18C4ABDD4A8F752D379E408CAA2

Function 014BB806 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 014BB841

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6e8cbce2e97635a87b8bad37dc45f607d9bfcfdf6a39d495971f7754b1c7f39f
Instruction ID: 8ef5c04deedd7d86b2590427f6aa4b4c0a6ecd993f198b5b325d62839cdf90eb
Opcode Fuzzy Hash: 6e8cbce2e97635a87b8bad37dc45f607d9bfcfdf6a39d495971f7754b1c7f39f
Instruction Fuzzy Hash: D2018F355002409FDB21CF06D984BA6FBE0EF04220F08C4AAED450B762D375E418DBB2

Function 014BA8EE Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 014BA926

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 96bc6fe9595a047c89c70c0e5d3676b56684a1f96c5939ae3d52f2026428ba08
Instruction ID: bd3dc30efdd928c6237d0ca6ceb22748ced40a3bb30375f54fb37a8e8e1c722e
Opcode Fuzzy Hash: 96bc6fe9595a047c89c70c0e5d3676b56684a1f96c5939ae3d52f2026428ba08
Instruction Fuzzy Hash: FF01AD395006009FDB21CF0AD985BA2FBE0EF05220F19C8AADD460B762C375E808DB72

Function 014BA372 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 014BA3A4

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8a0f6d8a41a70b0ce8c613760792cb3595a50a11cf458d368b6dcbe1c83d72a2
Instruction ID: ef736ae98b980ac7e5489c2e4d23a718e9428c9d37c8b77de28f82475eaf4894
Opcode Fuzzy Hash: 8a0f6d8a41a70b0ce8c613760792cb3595a50a11cf458d368b6dcbe1c83d72a2
Instruction Fuzzy Hash: 2DF08C355053409FDB21CF0AD9847A6FBA0EF04224F18D4AADD494B762D3B9E418CAA2

Function 014BBE3E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 014BBE70

Memory Dump Source

Source File: 00000000.00000002.3004940751.00000000014BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_NYQbqD59m8.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8a0f6d8a41a70b0ce8c613760792cb3595a50a11cf458d368b6dcbe1c83d72a2
Instruction ID: c48552437c23402bf29525fcdb2fc54f30fe6d7bbf4ab6678a4a00afe2645afb
Opcode Fuzzy Hash: 8a0f6d8a41a70b0ce8c613760792cb3595a50a11cf458d368b6dcbe1c83d72a2
Instruction Fuzzy Hash: D3F08C359042409FDB21CF0AD9847A2FBA0EF44230F08C4AADE494B762D379A408CAA2

Function 06563BD8 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

MOC, xrefs: 06563DAE

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: MOC
API String ID: 0-624257665
Opcode ID: 8710cb6fcfa0be5a58d9a7588e45af7efff77b6bc54c9bc768a61f1fd57a34c9
Instruction ID: 82e0c4b7e5ab06945c630f5a9ca4916e3b7b108603ae47369d9664084f668a79
Opcode Fuzzy Hash: 8710cb6fcfa0be5a58d9a7588e45af7efff77b6bc54c9bc768a61f1fd57a34c9
Instruction Fuzzy Hash: 2D817070A00A12DFD765DF2AC98496AFBF2FF88204B14992DF15787B60CB31E845CB91

Function 018DCBFB Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

, xrefs: 018DCD3B

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fdf11f5112ab2def9aa5e39d9aa49d425ae0c445be78a0eb451c2938db6918a1
Instruction ID: 3136c3a28b424261eca6656257017b3bc126f450ad6807078b5b7ab8a20bc568
Opcode Fuzzy Hash: fdf11f5112ab2def9aa5e39d9aa49d425ae0c445be78a0eb451c2938db6918a1
Instruction Fuzzy Hash: E361D231B042099FCB14DF69C8445AEBBB2FB85314B25847ED116DB355EB319906CB91

Function 018D20D0 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

r*+, xrefs: 018D230F

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 658dce8cea05a7567a3328e32bde1153dbcd20c059f0b5a3c46cd366c9c78e40
Instruction ID: 75199253caf277a4fdc19ec0cd7d3f82829cce183e1bc02db67d6074a72afdbc
Opcode Fuzzy Hash: 658dce8cea05a7567a3328e32bde1153dbcd20c059f0b5a3c46cd366c9c78e40
Instruction Fuzzy Hash: A9715B30A04309DFDF54DFA9C4456AEBBB2FF85308F1084AAD502DB665DB30AE45CB52

Function 018D068C Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

-Z@k^, xrefs: 018D06A1, 018D06A6

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: -Z@k^
API String ID: 0-2820313194
Opcode ID: f2d8733ca089762a2f5548992dc5a2219fdd5e92238915f8581ba8da1908ff59
Instruction ID: 3b06de7b32c5aefdcc16ac8b0bd783cab527ac6607300923c2fed6885e6772bd
Opcode Fuzzy Hash: f2d8733ca089762a2f5548992dc5a2219fdd5e92238915f8581ba8da1908ff59
Instruction Fuzzy Hash: 0C416C316002118FC7A46B75E84D6AD3BA7BB9070BB05497AF506CB278CF799D05CFA2

Function 018DD730 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

f`k, xrefs: 018DD74D

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: 2d3e08a775ec8ef796aece5fe0eb69d952126ad83dab519cdf42e789eddf9362
Instruction ID: 374d295ba88a1409fdfa1f583569c9b67a501efc372f4a4033830e3c792855dd
Opcode Fuzzy Hash: 2d3e08a775ec8ef796aece5fe0eb69d952126ad83dab519cdf42e789eddf9362
Instruction Fuzzy Hash: 2B319374A003028FD7249B54C494A6AB7A2FB85314F118E6ED14BCF785DB74ED858B92

Function 018DD740 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

f`k, xrefs: 018DD74D

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: 10e2a6bba972b1822b5938b61a4754fb040538a8c3dfcb6b85a52bf9cebe4674
Instruction ID: 214f0193139f328868ff309741ecc2c14d908e15d798aabcff0f33cdf93748c5
Opcode Fuzzy Hash: 10e2a6bba972b1822b5938b61a4754fb040538a8c3dfcb6b85a52bf9cebe4674
Instruction Fuzzy Hash: C641B674A003028BD7249B94C49466EB7A2FF85314F11CE5EC14BCF785DB74ED458B91

Function 06562BF0 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

L, xrefs: 06562BF8

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: f7f55e024b907c8c96334f54784e297e9fcb7e0da330a1c24581d43fdd3bc563
Instruction ID: c0d47d9bedd8b44672a6ccc9a2201493cd4a799f2ef93e09a5a967bd5a5e48cd
Opcode Fuzzy Hash: f7f55e024b907c8c96334f54784e297e9fcb7e0da330a1c24581d43fdd3bc563
Instruction Fuzzy Hash: 5F31F732900115AFDF51EBB5D8048EE7BB2BF89310F050855E906AB270DB75AA09CB91

Function 018D9398 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 018D94AF

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: e56c96efef22d60ff18b7300aa9de073abaf47a25ca420686b2e3a33223e8bae
Instruction ID: 6bcff355eda83dfc1970f25c901ce0c9c889e85e2b02fa51fd9cb597ec3da680
Opcode Fuzzy Hash: e56c96efef22d60ff18b7300aa9de073abaf47a25ca420686b2e3a33223e8bae
Instruction Fuzzy Hash: F1411830E04209CFDB44DFA9C1856AEBBB2FF4434CF1090AAD406E72A1DB749A41CF92

Function 06562517 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

$|k, xrefs: 0656254C

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: $|k
API String ID: 0-1307664736
Opcode ID: 3d05bf7b41fc24729e890f1c32d8503284041744e6916a42c53247c761a9da12
Instruction ID: ce39cca2d7e1e96f30f8102069afcfd9936e5a7267ad58a628e091cc5378162a
Opcode Fuzzy Hash: 3d05bf7b41fc24729e890f1c32d8503284041744e6916a42c53247c761a9da12
Instruction Fuzzy Hash: 62316930B002148FCB65DFBAC594AAEB7F2BF88204F10483DE506AB754DB75E946CB91

Function 018D6539 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

ER@k^, xrefs: 018D6558, 018D655D

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: ER@k^
API String ID: 0-3303834633
Opcode ID: 1b8857a466447e628ff61dfb5736555a76f1440a5edcf92150ee9ac942f6d7c0
Instruction ID: f9709baffd88111e5b8e45f977ba4de3ebd9a0a1f96aeb0c432f4fc536e55b7b
Opcode Fuzzy Hash: 1b8857a466447e628ff61dfb5736555a76f1440a5edcf92150ee9ac942f6d7c0
Instruction Fuzzy Hash: 80216E31B0C3598FC7515778A8101FD3BB49F9631471400EFD505CB2E6FA698E058792

Function 018D705E Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

%P@k^, xrefs: 018D70D9

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: %P@k^
API String ID: 0-4158077903
Opcode ID: 2bb50cfb32357c90b0e6c868b9e1b35809d0dc35355b4f839a41264a19a565fe
Instruction ID: e4e5909d9592075ff1adcae6d86e72e0666a08e220aa6255e5c764b75b1b9410
Opcode Fuzzy Hash: 2bb50cfb32357c90b0e6c868b9e1b35809d0dc35355b4f839a41264a19a565fe
Instruction Fuzzy Hash: 3431A3302402018BC729AF39D19959D77B2FB982993048E6DE146DB364DF79AC0ADB92

Function 018D25DE Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

f`k, xrefs: 018D26C1

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: 508a70dad1f648db40f9bb3ea28d28ab8c84064ffc72b3483b9de53979ec5c22
Instruction ID: b83c2eb1681dece511391823b0f150b9692afcd78f9af659e474a5d07e6c1412
Opcode Fuzzy Hash: 508a70dad1f648db40f9bb3ea28d28ab8c84064ffc72b3483b9de53979ec5c22
Instruction Fuzzy Hash: 59316C70A00309CFDB60DF69D54469AFBE3FF84318F15C569C0059B2A9DBB8A989CB42

Function 018D977E Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

f`k, xrefs: 018D9861

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: f4b262fe22395c3e103ea60fa7f37f89e0f98d5bc95ee63a0368d56bd75044a8
Instruction ID: f6ad8f178e68092cab921014837bf53528acdb611d7451f112cdf490874580de
Opcode Fuzzy Hash: f4b262fe22395c3e103ea60fa7f37f89e0f98d5bc95ee63a0368d56bd75044a8
Instruction Fuzzy Hash: 8F318E70E20306CFDB20CF6AD18565AFBF1FF9435CF119529D0059B299CB789949CB81

Function 018DBECE Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

f`k, xrefs: 018DBFB1

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: f36ab74cdf85240ecfb8fede5d5bbfd1692e9d9fe3f6f2e533a5d77b8ed228dc
Instruction ID: cbdd247073d5d1c5f291a7dc6c2eca3b084bc4e3254286b4c060f1d765e7d1b3
Opcode Fuzzy Hash: f36ab74cdf85240ecfb8fede5d5bbfd1692e9d9fe3f6f2e533a5d77b8ed228dc
Instruction Fuzzy Hash: EE313870D0030ACBE724CF69D444659F7E2BF85318F15866DC1099B265CBB5D94DEF41

Function 018D64A0 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

5S@k^, xrefs: 018D64C2, 018D64C7

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: 5S@k^
API String ID: 0-2239890339
Opcode ID: b9055097d47b96b4840b5febade9e6cff1ab42a2437ed8d66bb92a840fd9ff61
Instruction ID: 50c259717afde658237605e8c299a68565f78c809c975a16358ef54b4f9e0cfb
Opcode Fuzzy Hash: b9055097d47b96b4840b5febade9e6cff1ab42a2437ed8d66bb92a840fd9ff61
Instruction Fuzzy Hash: 57F046317002710FC6192ABD14142BE6BC74FD165070849AEE04AEBFA0DE318E0183A2

Function 018D64A8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

5S@k^, xrefs: 018D64C2, 018D64C7

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: 5S@k^
API String ID: 0-2239890339
Opcode ID: 988da3c589e55b1baa1da37d3744bf1d17c6854fb3e5ba0aa9eeba8b7197d810
Instruction ID: a57393279a8f452f95bd1c4c3bd5777597501361e6d136b7f966493c17a64fad
Opcode Fuzzy Hash: 988da3c589e55b1baa1da37d3744bf1d17c6854fb3e5ba0aa9eeba8b7197d810
Instruction Fuzzy Hash: C2D0A72274023A1B55146A7F684967F368F5BD1854704486DF50ADB370DE26DC0143E9

Function 018D6548 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

ER@k^, xrefs: 018D6558, 018D655D

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: ER@k^
API String ID: 0-3303834633
Opcode ID: 1513ac6dd904944b4cf4a7bc162b7afe2a6e234c5262450352b9fc5dd5ea2098
Instruction ID: 5517d4c139adda8c27881cf0a17a62b3b59fe3fd195759892b8a4b10de640b2a
Opcode Fuzzy Hash: 1513ac6dd904944b4cf4a7bc162b7afe2a6e234c5262450352b9fc5dd5ea2098
Instruction Fuzzy Hash: E0D0A735300124279544E5BDE8A1C79738FEBD5924304889FE90EC73A1CE73EC0283D0

Function 018D12A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a20944058273c9ff22a0b1a96776a1fa42b140166624f6a4678d519fbfe0fb
Instruction ID: ccedca8f82ef8ba4ab548f3eeba112a277c70a4d4dadfea8881b06eb1e271fcb
Opcode Fuzzy Hash: e8a20944058273c9ff22a0b1a96776a1fa42b140166624f6a4678d519fbfe0fb
Instruction Fuzzy Hash: 5B22F334A00A05CFCB24DF24C594A6AF7F2FF48304F1089AAD85A9B761DB39AD49CF51

Function 018DD260 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c99f50b2740f9b32523a36c6cadc99d73d9213c9662ba4f677a65f5e24cf75
Instruction ID: c2149e306e9a1d44fb0c5ec9c6758f28d3d28b018257851e4dd06409c91a18f5
Opcode Fuzzy Hash: 43c99f50b2740f9b32523a36c6cadc99d73d9213c9662ba4f677a65f5e24cf75
Instruction Fuzzy Hash: 46A12831A0435ADBC714DBE9C8849BEBBF6EF81318F18826AD515DB281D731EA05C7A1

Function 018D6600 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280992f7424ce523e98a5d639db9aa04536a5ca3ba85838d35fe3e77f48e3740
Instruction ID: d6442048545c9f9f8585b5841cba1177195acdb78a44bcad77cb75e8ab6fa321
Opcode Fuzzy Hash: 280992f7424ce523e98a5d639db9aa04536a5ca3ba85838d35fe3e77f48e3740
Instruction Fuzzy Hash: 7E816F31A00619CFCF15CF25C8906DAB7B2AF85304F15C595D90AAF211EB71EE8ACF90

Function 018DE9E0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288f8e60b93d620f943cd4387c6c41085dc3d5516da10c3f27423a31122df0ff
Instruction ID: 6e99e15ee15e1fb1644a18ef298dce896fadf51d286286750d14d5b0d661e60b
Opcode Fuzzy Hash: 288f8e60b93d620f943cd4387c6c41085dc3d5516da10c3f27423a31122df0ff
Instruction Fuzzy Hash: B981D6306006128BD714EB69C494EAEB7A3FFD4214F51493DD2169BBA4CF74AC19C7E2

Function 06562838 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff9910e2735fca6f1ed3f71cbba9133d900432388e3f95d40d3fb56b65eae87
Instruction ID: 0e1b4765c74d4e744664e9671ed6b4c2ed2785da9e387cd0f4b476b1db592540
Opcode Fuzzy Hash: fff9910e2735fca6f1ed3f71cbba9133d900432388e3f95d40d3fb56b65eae87
Instruction Fuzzy Hash: 84715134A00205CFDB64CF66C494BADBBF1BF88328F188959E456A7761CB71E985CF90

Function 018D0980 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512e764b4dddce5d7957ffeee7e7783afd09b4f305925ba556009aae93d225a4
Instruction ID: e7b9aae5087d21381e020a2373382eb2212f7ee244fe15cea30a275dd1111f25
Opcode Fuzzy Hash: 512e764b4dddce5d7957ffeee7e7783afd09b4f305925ba556009aae93d225a4
Instruction Fuzzy Hash: 68512331B08315DFCB109FA5C850BAEB7E2EB85318F10856AE547DB360CB709E06CB91

Function 018D02E8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602f14960e0aa6b84c0ff57337eb86176469685862f3dfaeff24b7232b8c4b9a
Instruction ID: 49fa36de90b7ea96165d57b4e78574299ce41a6d5bed0adf0ab72bf376844474
Opcode Fuzzy Hash: 602f14960e0aa6b84c0ff57337eb86176469685862f3dfaeff24b7232b8c4b9a
Instruction Fuzzy Hash: 8C519F34A043058FDB09DF68C590AAE7BF2AF89314F2580AEE506EB761DB35ED05CB51

Function 065620D0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0969940f31a4b7d8b96f8eba99e8620edbf72252a1a28d58390e24d22cefdb44
Instruction ID: 5eb57243d3934062f7c3cf38e5c7c1fee1a3fa78bf6e72d89bbee42593fea11f
Opcode Fuzzy Hash: 0969940f31a4b7d8b96f8eba99e8620edbf72252a1a28d58390e24d22cefdb44
Instruction Fuzzy Hash: A451A031A14119CFDF58DFA6D9408ADB3B6FF88304F058465E906AB361DB31EE46CB91

Function 018D7A68 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51df70e5e900e8ce7ebe73ae830750f6f145c0adcffd539a0a44b74d91fd6742
Instruction ID: 81ad664598a96baf228f26e21a7e3f08eb7c53242cb21a0ab5825ed2d7a3c771
Opcode Fuzzy Hash: 51df70e5e900e8ce7ebe73ae830750f6f145c0adcffd539a0a44b74d91fd6742
Instruction Fuzzy Hash: C431073190061ACFCF21CF14C854ADAB7B2AF85308F518894DA09BB215DB706B8ACF81

Function 018D76B8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e90e594cea693a4fa3c1c74406435ca315f21582db3d1a921c492e6cb100288
Instruction ID: e8e74a6f8ee298722fc08557451b6be9f6f9aca4fe00950226494db7dab94cee
Opcode Fuzzy Hash: 0e90e594cea693a4fa3c1c74406435ca315f21582db3d1a921c492e6cb100288
Instruction Fuzzy Hash: 55517E31B002198BCF18EBB9C5515AEB3F7AF98308B158569C40AEB760DF35ED06CB91

Function 06563F89 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca348127a1dbe41b219cd8b79763a8aee342198163e690ce8f782b76d8df1fb
Instruction ID: f0f2130549f71fd41bfdb4648409b989ef15e7957e42673e94c781b107d0d5ab
Opcode Fuzzy Hash: bca348127a1dbe41b219cd8b79763a8aee342198163e690ce8f782b76d8df1fb
Instruction Fuzzy Hash: 5151F430A00256DFDB94DFAAD4546AEBBF2FB98304F108569E006DB3A5DB389C45CB91

Function 018D8E70 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b554499ee75f2d9588867fc4f14b12f61f61277c1041f2cfefb58f8f11541749
Instruction ID: e42cd9e420192f462176696b4657f172e09fe262ca4628541a5df007ead4b386
Opcode Fuzzy Hash: b554499ee75f2d9588867fc4f14b12f61f61277c1041f2cfefb58f8f11541749
Instruction Fuzzy Hash: 7F41F971B0430ADFC715EF79C8409AEB7B6EF46308B10497ED506EB650DB31AA058BA1

Function 018D7F50 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf3968a8853f3b46fca784b156709108bb0d82445ce107479d5e8e1e4b3c0c3
Instruction ID: c4a9d3d5603d19a0d44ed87cce8f3e3edce79d25bcc93d56682103148112d644
Opcode Fuzzy Hash: 9bf3968a8853f3b46fca784b156709108bb0d82445ce107479d5e8e1e4b3c0c3
Instruction Fuzzy Hash: 6D513275D00618CFCB24DFA8C984A9DBBF1FF49314F2085AAD95AA7264E7316E09CF50

Function 018DD960 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60d44e6e72039596de8ee2e0f116fa7a53ea2df99cdab4c217db396465de0e4
Instruction ID: b53871f52f43ce71b6308e20726eb90b24b451ec081a21f8392b763c57817841
Opcode Fuzzy Hash: a60d44e6e72039596de8ee2e0f116fa7a53ea2df99cdab4c217db396465de0e4
Instruction Fuzzy Hash: 1A516031B102149FDB11DBA9D898EAEBBF6EF88320F05C169E905E7395CB309C41CB91

Function 018D8221 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44ab36f76b0ff1ff234aace519484ed0b8594361c1036b05d7b359fea3dd04d
Instruction ID: 73eeea808f11d6f8fd942d9259ad0ddcb3c99ea20d436cb0cbc97c2ac8015671
Opcode Fuzzy Hash: f44ab36f76b0ff1ff234aace519484ed0b8594361c1036b05d7b359fea3dd04d
Instruction Fuzzy Hash: 8B514734A00315CFDB14DBB4C588AADB7F2BF86344F1186A9D44ADB651DB30AE45CB61

Function 06563800 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fac2e239215955ebbf544ef7432ffa208e8c44f97e9b517ecd33836e1da452
Instruction ID: b333d2987192a324aa38b87fcddbf950a6eb1fd98f442360c5296c8e2ee70a28
Opcode Fuzzy Hash: c2fac2e239215955ebbf544ef7432ffa208e8c44f97e9b517ecd33836e1da452
Instruction Fuzzy Hash: BC510735A00205DFDB44DEA9C480EEDBBB2FB88324F1595A5E511AB361DB35EC85CF90

Function 06561070 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7966ce9b08475cfd75c9d416b0a2e4ac3aace7ab3812530048db38567973ef1
Instruction ID: dc1a32b0d8be14f2ed3c92085f35640b4c61d359bfbb2ccaa1395bb18caeb55f
Opcode Fuzzy Hash: d7966ce9b08475cfd75c9d416b0a2e4ac3aace7ab3812530048db38567973ef1
Instruction Fuzzy Hash: 2B4103706057548FCBA59F39E4044AA7BE5FB5624C32489EDF00A8F352DB369C0BCB95

Function 018D0BC0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e2b6e2fd8da03896acaaed97b0eb5fd4666a79981fb9bda66549ec7e72634a
Instruction ID: 3e097af9473d4b5cb7099c424f8f9d83646fecec33bbd77dad5f7719a921b89f
Opcode Fuzzy Hash: d6e2b6e2fd8da03896acaaed97b0eb5fd4666a79981fb9bda66549ec7e72634a
Instruction Fuzzy Hash: 2241EB31B043148FCB159F29C4146AE77F6AF86315F1580AAF906EF761CF729D068792

Function 018D7238 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37b03a663745e8e13c331887fa64d13a426f90398fb3f3956eaa53b2605408c
Instruction ID: a6eb87092fc970b38fbe49b5749783ec89b2aed5d6cc5420c90b385f6abd193a
Opcode Fuzzy Hash: e37b03a663745e8e13c331887fa64d13a426f90398fb3f3956eaa53b2605408c
Instruction Fuzzy Hash: 37419034A01700CFC70AAF76D45056E7BB3FB8E25135441A9EA06EB761CF359C01EB62

Function 06562828 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027da60213ca9dff394fd74932ae74e156921daf5a0aaf180cd3b46a8f79d62d
Instruction ID: fea300b5a3b49ea33cf90c27a67e00e3cbfd9f16415a8b6af485774f3a6a7529
Opcode Fuzzy Hash: 027da60213ca9dff394fd74932ae74e156921daf5a0aaf180cd3b46a8f79d62d
Instruction Fuzzy Hash: B0517330A04605CFE765CF6AC084BA9BBF1FF88318F188959E456A7661C770E9C5CF90

Function 018D5A00 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dbc766afb0cda62ee4999d720c4656c3e0c24b375663dce6a3a038b20ae905
Instruction ID: 57e75d6e877cab39ee6532f6f4c793ab44c028a85acd9ac4e629fc949d4a47b0
Opcode Fuzzy Hash: f4dbc766afb0cda62ee4999d720c4656c3e0c24b375663dce6a3a038b20ae905
Instruction Fuzzy Hash: B441B1347043168FDB546BB9945823E37BBAF84749B54847BD502CB2A4EF34CE028B52

Function 018D7248 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f994bc33c324c89d0537a613ec84de21464bc782ff4e3d43382139a8c95f42a6
Instruction ID: 90cadcdda5d4f47267d4f29de36c2f2dadf0ea3613eabec9dbeba93b7bc7129e
Opcode Fuzzy Hash: f994bc33c324c89d0537a613ec84de21464bc782ff4e3d43382139a8c95f42a6
Instruction Fuzzy Hash: 5B419034A01700CFC709AF6AD45052E7BF3FB8D29135441A9EA06EB765CF31AC01EBA2

Function 06564190 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982ec033ecbe0c6d03e6137e16a95399488d3c03a23b9bf1907a1c36ce5a1f74
Instruction ID: 47f4f1eaafbbabc2b8cc1f8f92f24a4c85ec8afc3f45bdcf9d4d90c7b0d7fa8a
Opcode Fuzzy Hash: 982ec033ecbe0c6d03e6137e16a95399488d3c03a23b9bf1907a1c36ce5a1f74
Instruction Fuzzy Hash: A441D274E00208DFDB95CFAAD480A9DBBF1FB48314F24C46AE405EB215D731A946CF90

Function 018D09A9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6efd632e83f1ae4cc95ab49b36c39fd0d325326a1ebfa4d0c379d8d5a5f0032
Instruction ID: 89b3d0db56e9c5822f1e73095c7af38d4ce753dc37353f63bd60700587cc6e10
Opcode Fuzzy Hash: a6efd632e83f1ae4cc95ab49b36c39fd0d325326a1ebfa4d0c379d8d5a5f0032
Instruction Fuzzy Hash: 95419A35B002159FCB159FA8D498AAEB7F2FF88304F158468E51ADB375DB30AC06CB81

Function 06562C00 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d607e5f84b5319f510aa8bb5cf4095ca41616740d002ff6ec56440db844c76
Instruction ID: 25d9cac1349253b578a636f986750c422af9b16fa2bafce775a73ac919f0089d
Opcode Fuzzy Hash: 20d607e5f84b5319f510aa8bb5cf4095ca41616740d002ff6ec56440db844c76
Instruction Fuzzy Hash: 8731D232A00515AFDF55EFA9D8448AE77B2BF89310B050865E907AB230DB75EE09CBD1

Function 065620C2 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870c753d4aeeb2a40044e5525322031b97472046cce9f229644fb1b813b41e3e
Instruction ID: de4b013f80e1d32d090c478c62517e4fc03997f48470a7a99253a3f17268ed6a
Opcode Fuzzy Hash: 870c753d4aeeb2a40044e5525322031b97472046cce9f229644fb1b813b41e3e
Instruction Fuzzy Hash: C2319231A04219DFDF55DFA1D8548EDB7B6BF88340F014469FA06AB261DB329E09CB91

Function 018D02DC Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a181d5655991abd3e50fc49cf746bb992cf17a93c68944d77e21622fc6b68d2
Instruction ID: 42b0968ae3392b015f11850ffd1d5529abc7e4aa4a3bc3734a3c147a01b9f7da
Opcode Fuzzy Hash: 7a181d5655991abd3e50fc49cf746bb992cf17a93c68944d77e21622fc6b68d2
Instruction Fuzzy Hash: 8E416F34A00308DFDB18DF68C194BAE7BB2EF99314F24446DE502EB7A0DB719D418B51

Function 018D8848 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9fe1c067d3613141f9b3301bedc0f1c73983b58e6e111a576312a263517097
Instruction ID: a41b7c15662b28f301d11d2831499867989992c295605784034a6a67e35fccb6
Opcode Fuzzy Hash: ba9fe1c067d3613141f9b3301bedc0f1c73983b58e6e111a576312a263517097
Instruction Fuzzy Hash: 5A319C75A0020ADFCB00CB69E485AADF7B0FF86328F15C276D556DB261C730DA46CB92

Function 06561FAA Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f0f09a134307b1442d6d7a06597e9dd6587a17a1141ca472aac91e09113129
Instruction ID: c5ebf60e076559361cb0d0aa59f48ebd8b775777df3e91f11cac5c5af43ee8a0
Opcode Fuzzy Hash: c5f0f09a134307b1442d6d7a06597e9dd6587a17a1141ca472aac91e09113129
Instruction Fuzzy Hash: 6E316D30E01204CFD794CFAAC5586AEFBF1BF4C260F248569E40AA7251DB31DE46CBA1

Function 06563E61 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ea5ff8509280f8a69997815a9ef51ffe2426924d40c74135dbf129bbcecfba
Instruction ID: d3acd94df7d553c42dce79c2784f74d4bedd6df807ec437d896b077d297880cd
Opcode Fuzzy Hash: 31ea5ff8509280f8a69997815a9ef51ffe2426924d40c74135dbf129bbcecfba
Instruction Fuzzy Hash: 3D413B30A05B51CED3B9CB3AC544366FBF1BF85205F14986EE09687AA0DB79A885CF50

Function 018D2094 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19157ccb68fcd27cb6124b18121bd1a7c2ac59389eb48d772a32f65b7bb26557
Instruction ID: 198b209c07a906b52b46b10b21a26849031919484ec7319c7222a22e51e27124
Opcode Fuzzy Hash: 19157ccb68fcd27cb6124b18121bd1a7c2ac59389eb48d772a32f65b7bb26557
Instruction Fuzzy Hash: 7E31CE75608749CFCB56DF78D8919E97BB2FF46318B1444AEC182CB262D2316A86CB11

Function 018D44A0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283ae78ffa7d6b88a45576b22d89527716ae5f46a84b07bc5482de23649cb4b1
Instruction ID: c1d538fc579a40fc260b5af0d1eb0de8ac7ed7aec5d99c0014bf250f10fc3f21
Opcode Fuzzy Hash: 283ae78ffa7d6b88a45576b22d89527716ae5f46a84b07bc5482de23649cb4b1
Instruction Fuzzy Hash: 9431CF36501206CFCB11DF64D8488EDBBB2FF8930930584E9E1069B639CB3AAD59DF51

Function 018D1298 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab600dfc1c1b0391770c775a09ba5b7c9581fc345fb83f0abc8ac5df9f883682
Instruction ID: a6ec2cee5932fdaaa195f8856ddb9b67fc32ac23cdd9825ac9d3a4dee533adf8
Opcode Fuzzy Hash: ab600dfc1c1b0391770c775a09ba5b7c9581fc345fb83f0abc8ac5df9f883682
Instruction Fuzzy Hash: 2A410674A04319DFCB64DB64D888B99BBB2BF49304F0044EAD50AAB760DB349E84CF61

Function 018D46A8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091d0fd8407c3be831ece7033a5abe4cba0f8c05c2b408dfd3328554744d2ef5
Instruction ID: f4ab30d3a62da7fb7747296ef13b01ce126e58c6f55d013315da991683bd38e8
Opcode Fuzzy Hash: 091d0fd8407c3be831ece7033a5abe4cba0f8c05c2b408dfd3328554744d2ef5
Instruction Fuzzy Hash: BD219179F0021E9FDB44DAA9D881AFFB3B9FB89704F10803AD619D7650E6305A058761

Function 018DB951 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a126f3106eb76e3af3bdb98ff3540313ec84b17fd892d2e44f5c801e7668b0
Instruction ID: bddc9e1617d060bd236532871ce0306933d718d7bed744d6ac37cef8ccd4b3d4
Opcode Fuzzy Hash: 35a126f3106eb76e3af3bdb98ff3540313ec84b17fd892d2e44f5c801e7668b0
Instruction Fuzzy Hash: 1A31C331705314EFD754AF39E8488AE3BE6FB862167514869E106D7360EF389D08DF52

Function 018DB6C8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79ac24b1c25f17e1f104dcdd7c60665e90995a074abb8b79ef00b6820d92037
Instruction ID: 66f05706b7610d837e6dc3330f69c09a9ed720d48a98ba6bb35de9d8b0bb87fe
Opcode Fuzzy Hash: e79ac24b1c25f17e1f104dcdd7c60665e90995a074abb8b79ef00b6820d92037
Instruction Fuzzy Hash: A6310674E01208DFCB14DFB9E8849EEBBB2FF89205F10842AE805A3360DB35A905CF54

Function 018D51C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea335ade7f3db930714d76fad1e0b6d80a09f183e735cb1eb9a37374de9bc61
Instruction ID: f33dc08a2673769a82bc413c4d5a25e426d57a6343b3afdbe1dcfb2b1808084e
Opcode Fuzzy Hash: aea335ade7f3db930714d76fad1e0b6d80a09f183e735cb1eb9a37374de9bc61
Instruction Fuzzy Hash: 5C219C70A003099FDF04DFA9C4546AEFBF6AF99314F014429D40AEF360DB74AA4ACB81

Function 018D0006 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a666f6eb3ebb8ae275b7128a92552ca52c493373eb264d000f4adcfe05d7c64
Instruction ID: edf2fe200b96fa3979462d6bd1ad0eb8a3cec876edf6e9d3d1df196caaab254d
Opcode Fuzzy Hash: 5a666f6eb3ebb8ae275b7128a92552ca52c493373eb264d000f4adcfe05d7c64
Instruction Fuzzy Hash: 17318D7050D382CFCB529F70C8548987BB1BF42224B0648EFE585CB2A6E77C9D19DB22

Function 018D76A8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e86d66b926a8be838f166253e805a918bca0e6b9fb7714539d75c05cc0a85b2
Instruction ID: eac19e1d0c9da87a4363d700a981e4fbe6d8f6aa1059f3752f0f9bc21b13b6b4
Opcode Fuzzy Hash: 8e86d66b926a8be838f166253e805a918bca0e6b9fb7714539d75c05cc0a85b2
Instruction Fuzzy Hash: 9E314D35E002098FCB14DBB9D4545EEB7F2BF88308B11856AC519EB764DB35AD06CB91

Function 018D4869 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67568be60952ccca3194f8c30dd7086c6604ec5e60c2520a600829284be01a60
Instruction ID: 4df6c17378b98d8d74a52b33692f7aacae9012d257e733ca7caaa7da25a32fbf
Opcode Fuzzy Hash: 67568be60952ccca3194f8c30dd7086c6604ec5e60c2520a600829284be01a60
Instruction Fuzzy Hash: CF21D072B012159FC755ABBD94017AF77E2DBD5354F24413ED10AEB2A0EA318D0287D5

Function 018D7F40 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5a5d95c58bdda7d2f950fd1a9e97598fb230f13ffe8673c6a7d95996b000cc
Instruction ID: ba58167250e3274e3eae4eb05b57a505defe1b6c67945dc8e16ec0f8740fb2b7
Opcode Fuzzy Hash: db5a5d95c58bdda7d2f950fd1a9e97598fb230f13ffe8673c6a7d95996b000cc
Instruction Fuzzy Hash: 7131D431904348DFDB25CB68D504AFDBBF2AF8970CF1444AAC116EB661DB355E05CB51

Function 06561DC1 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001d2d30b9da7b5bc4e59807f035aebe7a14818cc28619f3abc1a189f7db0bef
Instruction ID: 9d16a14d5d55e44e4d5df008236dbee0cab5e3137d41e868c51d85aa0cf81860
Opcode Fuzzy Hash: 001d2d30b9da7b5bc4e59807f035aebe7a14818cc28619f3abc1a189f7db0bef
Instruction Fuzzy Hash: 2E3118302446208BC775AB39C1516AEB3A3AFD22487558C7CD1478B790DFBAFC0A8B91

Function 018D44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9f031901a2577bea4f4777a274355d93be560d38189c3af3d255eceee1d122
Instruction ID: 23df71962084d5dfb94288cf819a3243bc04463d837f720efcab51c48107758f
Opcode Fuzzy Hash: ad9f031901a2577bea4f4777a274355d93be560d38189c3af3d255eceee1d122
Instruction Fuzzy Hash: 3E31D136500216CFCF10DF64D8488EDB7B2FF4830930584A8E1069B638CB36AD59DF91

Function 06564119 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fc18cdb7d957297bcb25e196e643d35933cec4b54a1bd7d21cdd27ae86a0b4
Instruction ID: d3fab0ed04a8f805cff3a986562fe1814283d428273bc55a6744f02fb726db78
Opcode Fuzzy Hash: 02fc18cdb7d957297bcb25e196e643d35933cec4b54a1bd7d21cdd27ae86a0b4
Instruction Fuzzy Hash: D131C131A002558FDB59DFBAD0442AEB7F3BB98304F148569D10ADB3A4DB38ED49CB91

Function 0656410D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fc18cdb7d957297bcb25e196e643d35933cec4b54a1bd7d21cdd27ae86a0b4
Instruction ID: d3fab0ed04a8f805cff3a986562fe1814283d428273bc55a6744f02fb726db78
Opcode Fuzzy Hash: 02fc18cdb7d957297bcb25e196e643d35933cec4b54a1bd7d21cdd27ae86a0b4
Instruction Fuzzy Hash: D131C131A002558FDB59DFBAD0442AEB7F3BB98304F148569D10ADB3A4DB38ED49CB91

Function 06562DB1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bdd21f3496a87d070c6c5d79672acbb42f07b9635f52cae9b793149de4adb5
Instruction ID: 424d002f58abc5be2905477bef1e128046bc4363f240f29ec73340aaefa67472
Opcode Fuzzy Hash: 17bdd21f3496a87d070c6c5d79672acbb42f07b9635f52cae9b793149de4adb5
Instruction Fuzzy Hash: A4316975D00109AFDB45CFB9C940AEEBBB6FF8C300F10882AE515AB661CB35A911CB61

Function 018D5C30 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8b61d7998c3c8d6565c9937b5958f77e85aaff117685083c899a19aa832922
Instruction ID: 76b91c63f2b506181fcda349395cc993edb590b01fc12d582dc2e6185d1d4d49
Opcode Fuzzy Hash: ff8b61d7998c3c8d6565c9937b5958f77e85aaff117685083c899a19aa832922
Instruction Fuzzy Hash: FA21C131B012099FCB189BB984551BFB7F69B98328B15853FD416EB351DF348E418BA2

Function 018D56C8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3f3b610ba1bed875950bb7e955ae3d236eb07ccf92235e5ed0789863332417
Instruction ID: 2e9b58e283d5ecaadcbe29b5ec34fcd42485631071c55e226450abd0e52b6b6d
Opcode Fuzzy Hash: dc3f3b610ba1bed875950bb7e955ae3d236eb07ccf92235e5ed0789863332417
Instruction Fuzzy Hash: 0021C131B00308CBDB149A78C4557EEBBF6AF88724F29006AE502EB3A0DFB54A458791

Function 018DE7E8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd48e4acef4859ad80112276df91b05700c39e49816599d1629e6a115a107ff
Instruction ID: 5f9e735c5d6ff3010a892761f4f2861c9ce2f57edbb6a9db7482d530ec9ef8e7
Opcode Fuzzy Hash: 1fd48e4acef4859ad80112276df91b05700c39e49816599d1629e6a115a107ff
Instruction Fuzzy Hash: 27215131E003199BCB64EF75D8429AEB7B6FF88308B104969D516EF690DB30AD05CBA1

Function 018D590F Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccb129e5fe681f255ec67f20738d89b6cc287d8b3171065977c55e4dc6571d7
Instruction ID: 541ae5dfc106b2f9ea73eac179e1f09b0b200c1ce153ccd7cb4c21357d9141aa
Opcode Fuzzy Hash: bccb129e5fe681f255ec67f20738d89b6cc287d8b3171065977c55e4dc6571d7
Instruction Fuzzy Hash: 1421F630701305ABC718ABBD94504BE77FAAFDA328711407F9006DB361DD749E058762

Function 06562AF0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c606c291328af070adf4dd16dfcfcd99a8e6911800fda37d4f9dd6ad649e888
Instruction ID: 0ea5c435d90710f53274f505c99280162b6ab5f6c21836b98ef3098eb8da8528
Opcode Fuzzy Hash: 2c606c291328af070adf4dd16dfcfcd99a8e6911800fda37d4f9dd6ad649e888
Instruction Fuzzy Hash: 50219170E04605CFD794CF69C5407AAFBE1FB84354F188979E009EB260DB319A82CBD1

Function 018D21E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944111f36020b1ff170019ed01ef214d68e6a022837647a522c9f06ff0e07eb4
Instruction ID: 4db576eb297c3651072be0e1ead0741323959a7e208a8eee665795cfeb1e5abd
Opcode Fuzzy Hash: 944111f36020b1ff170019ed01ef214d68e6a022837647a522c9f06ff0e07eb4
Instruction Fuzzy Hash: 6C312C7090830ADFCB54DFA5C1456AEBBB2FF45308F1041AAE502EB660D7359B45CB52

Function 018D9389 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c9c49412919c3cc875d7b01555381d684326a425b09966430fc98f76122a45
Instruction ID: 7605ff03baaa14001f3a11620e09ba5b614e4605225fdd592c9232a2ee91f581
Opcode Fuzzy Hash: 08c9c49412919c3cc875d7b01555381d684326a425b09966430fc98f76122a45
Instruction Fuzzy Hash: AE317F30D0834ADFCB15CBA5C195AAEBBB2FF4130CF1041AAD406DB292DB349B44CB92

Function 018D4998 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35ee6e43378819391c2d558d03c5c6a764132310432f3f9be2d84f5d424d8f4
Instruction ID: 527d3c2fa759c36437ed9285deebbc1821caf5fc40b0a6cf83e90c0d59ce6382
Opcode Fuzzy Hash: c35ee6e43378819391c2d558d03c5c6a764132310432f3f9be2d84f5d424d8f4
Instruction Fuzzy Hash: BB118432B113189B8B05DBB598508FE77B6EFD4718B04553ED506E7A50EF305E0A8791

Function 018D4FF0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bce53477f9f7a18053a589b9d259d9a87939ec05671e6099c82088c1ee671d
Instruction ID: 2d23a3efb6445a95861b8a8c5adcb5ae1100b7500e246b2c7176caed442a37e7
Opcode Fuzzy Hash: 15bce53477f9f7a18053a589b9d259d9a87939ec05671e6099c82088c1ee671d
Instruction Fuzzy Hash: 17219F31218709CBC314A779E540DB973B2FFC8358700896BC107CBA65DB396E4A9BE2

Function 018D62B0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3170c0d1de048913b1b24ce19ee451dc6a5960c66dc9f9fddded4fd6d15e70e0
Instruction ID: 48fbc1ff2d78cf3b384db9f25e3784c4c3c06c4db75c5c54424a2663c505494e
Opcode Fuzzy Hash: 3170c0d1de048913b1b24ce19ee451dc6a5960c66dc9f9fddded4fd6d15e70e0
Instruction Fuzzy Hash: B721CD71A0024D9FCB18DAB984117FE7BE2AB98328F64007ED506E7650FF318E0187A3

Function 06561C58 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b32842ef37203a6afd410457cdaa54e51750b25d8bf31fad046f0d995ec247
Instruction ID: bcc5d5c85850cda26f27068543ad9bb995181a2098d38a40d45498198db3a201
Opcode Fuzzy Hash: c9b32842ef37203a6afd410457cdaa54e51750b25d8bf31fad046f0d995ec247
Instruction Fuzzy Hash: BF218E35A04A14DEEBB48B6A95006FEBBF8BB88354F10497AF84697600DB319945CBE0

Function 018DE7D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0d4e897f22dc4e914cdfb7080d69a16c0760c3ff82583526550db196d3acba
Instruction ID: fe1b704cf9b02404675afa6d94a881262729335c71a8721d50f39c0f1b74f758
Opcode Fuzzy Hash: 8d0d4e897f22dc4e914cdfb7080d69a16c0760c3ff82583526550db196d3acba
Instruction Fuzzy Hash: 4A119331F04319ABCB64EF659842AAFB7B5FB88708B104569D506EF240DB31AA01C7E1

Function 018D45F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ae64b3556139997153578608f4c7ee30d5b3d7a2e9ef5239b1832fc9be377f
Instruction ID: 381492d938f23b6a6d68f7a4982b1d1e4c9f7c421ab317dd78e2479f8c739568
Opcode Fuzzy Hash: b5ae64b3556139997153578608f4c7ee30d5b3d7a2e9ef5239b1832fc9be377f
Instruction Fuzzy Hash: 7F112932E04756CBDF058A68E8002EFB7A2DFC6314F1541BAD90BDB691DB718D09C781

Function 06563966 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27db7bafc0fe1d7aff5bc12543d0ba0f74e0909e7a0e0e743acfd726762683b7
Instruction ID: eae361f6b3bccc3522db961c687de24038335bf054a1f4fb7d4a18cf7c6dd248
Opcode Fuzzy Hash: 27db7bafc0fe1d7aff5bc12543d0ba0f74e0909e7a0e0e743acfd726762683b7
Instruction Fuzzy Hash: 39317375A00204DFDB40DFA9C580EADBBB2FB88324F165194E911AB366D736EC85CF50

Function 018D5920 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec7e836a6549f0a316a685bcc38215dcf611a8e1e1ae9537f3f43960853d276
Instruction ID: 6242b892e9bea66529ecf8e2477a141aa8fc226f9c2cf4ef96170be72448f78d
Opcode Fuzzy Hash: cec7e836a6549f0a316a685bcc38215dcf611a8e1e1ae9537f3f43960853d276
Instruction Fuzzy Hash: 6B11E6307012156BC718A7BE985057EB3BBAFD9328751453F9007DB360DD74AE0487A2

Function 018D21F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3c496ccc81187cd6b998c9eecaae24454fe9aff002ece3e1f63b8dfa3cc4d0
Instruction ID: 17d54a9df578e1ebae1d29cf0fb488585581348b804784227910e6c01f181a35
Opcode Fuzzy Hash: bd3c496ccc81187cd6b998c9eecaae24454fe9aff002ece3e1f63b8dfa3cc4d0
Instruction Fuzzy Hash: C921F830A0830ADFCB54DFA9C1456AEFBB2BB44308F10856AE502E7660D7359B44CB92

Function 065623C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b77066758f09d452b1b19befc75b56f979ee422548af53f9db3b16b6e609c3f
Instruction ID: 480de9c16950bea4818d969d5609ecfa1a4635a99fb42fdba445098b9f9827b1
Opcode Fuzzy Hash: 9b77066758f09d452b1b19befc75b56f979ee422548af53f9db3b16b6e609c3f
Instruction Fuzzy Hash: B3219F30A04114CF8B98DF5AC440AAEB7F5FB48215F10846AE586E3200D771AE42CBD2

Function 018D51B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f855c839fba1418647e84c4144380be31ffc53c3db17b46d95735a58f07c51
Instruction ID: f03c58b63345e500f229876eb13ad8b2b0a6cd5a721ee20e8ddc5e68f1bb681e
Opcode Fuzzy Hash: f7f855c839fba1418647e84c4144380be31ffc53c3db17b46d95735a58f07c51
Instruction Fuzzy Hash: 371146719003099FEB00CFA5C4446AEBBF2AF89314F514469D509EB261EB746A4ACB80

Function 018D50E0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95e14174f4aac8cc7e9efba1ebfa1961376d7567f98b472a509dd43a6089d38
Instruction ID: 05d9d09772c29f24fe9e9ac2767f9e5974ab516b39f62ebdf52cef9d7a354911
Opcode Fuzzy Hash: a95e14174f4aac8cc7e9efba1ebfa1961376d7567f98b472a509dd43a6089d38
Instruction Fuzzy Hash: E411D331B00A15CF8F54EBB989002AE77B2EB88748B41417AC50AE7351EF349E0687E6

Function 01920855 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005864893.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1920000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddddaa874b65d3b186b1fd0c42f30d39dd656028ea9936a9258d3d7615bfc63e
Instruction ID: 17cf977b370c51c24e1470c5038f8339f7cd0c99091d693e6c8c1d5651280a61
Opcode Fuzzy Hash: ddddaa874b65d3b186b1fd0c42f30d39dd656028ea9936a9258d3d7615bfc63e
Instruction Fuzzy Hash: EE21413524D3C58FD707CB24C850B55BFB1AB46214F1D86EEE4898BAA3C67A8807DB51

Function 06560688 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90f0350a746514cb30cde920de091634aafa55f0f1b6588721388888be1f82d
Instruction ID: 89b4eec541d2836be8bd5ccdba54b1102e8d3007645b264118e2dbc894c52f58
Opcode Fuzzy Hash: e90f0350a746514cb30cde920de091634aafa55f0f1b6588721388888be1f82d
Instruction Fuzzy Hash: 84119E357000119F9748EB6AD854A6E77ABAFD92547188169E50ADB7A0CF32EC02CB91

Function 065623B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fa6e592383a42bb4643022a70377ee50e51ee1db48d3705c2dfb1b732f2965
Instruction ID: 6726b0b2b1ddc455c583ed41591763231a652ef8d48aeda93e0b3b6eb5194fb8
Opcode Fuzzy Hash: 08fa6e592383a42bb4643022a70377ee50e51ee1db48d3705c2dfb1b732f2965
Instruction Fuzzy Hash: CE113D31E05114DFDBA4CF9AD5409BABBF4FB48211F10846AF48AA3201D371AE41CFD1

Function 065636F8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a105e0085114fc9591612cdc8547d96b1fb7932dab3306e41aeda66d4eb6f92a
Instruction ID: 38f88110c2e201d5bf856a7fa637dfadfa0a0288b3839e96d1c5cd0dd53d7de6
Opcode Fuzzy Hash: a105e0085114fc9591612cdc8547d96b1fb7932dab3306e41aeda66d4eb6f92a
Instruction Fuzzy Hash: 841193B5E08349CFEB549B66C4493AEBBB2BB44318F14183EE00667341CB799A45CBD0

Function 0192088C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005864893.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1920000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7d7d5d432360eac5fa2599dd935e81ac63a934e7d0b6b3b161320a2f88fd27
Instruction ID: 10daf1cea376e21124dee9208d746c6d7b4dba830feae88c989d19c516d40702
Opcode Fuzzy Hash: ec7d7d5d432360eac5fa2599dd935e81ac63a934e7d0b6b3b161320a2f88fd27
Instruction Fuzzy Hash: 0311D234204284DFE315CB14D944B26BBA5AB89718F28C9ACF54E0BB57C77BD803CA82

Function 018D89F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df27a938f4311a0f6622c9e04f1c059497754966efc68299d2f04048bdb92420
Instruction ID: 66fa14e8ab7eeb9a3faa59798b5dc50410e87c4a0256d0c564fa6058c71a1ef8
Opcode Fuzzy Hash: df27a938f4311a0f6622c9e04f1c059497754966efc68299d2f04048bdb92420
Instruction Fuzzy Hash: 15119135644308CFC7299B35D0544A977B2FF9A3953150C6AD1878BB50DF74A90ACB52

Function 018D5810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84811a060b421253d4c5d832657b4ac5cec4c222ec8197048fc20efe578c7de0
Instruction ID: de7f731fd849373b2f2b8e842ed4480183245ea231716c35482065c09fa6bd7b
Opcode Fuzzy Hash: 84811a060b421253d4c5d832657b4ac5cec4c222ec8197048fc20efe578c7de0
Instruction Fuzzy Hash: 53116D31A01309DFD711DF75D542AAB7BB6FB4A358F2040ABC601E6260EB369E01CB91

Function 06561ACA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d4dc61536381adba97832ef292c3b2def47313e94674270664739390a8d8a2
Instruction ID: 2026342c1319c0d2eb7c579fd68446b76ed4c63be344da59fcb944eff7ed7e62
Opcode Fuzzy Hash: 40d4dc61536381adba97832ef292c3b2def47313e94674270664739390a8d8a2
Instruction Fuzzy Hash: C4014531705710AFCB246BBA98184BF7BAABBD9268305883FF406D7361CE359C05C7A1

Function 018D55D9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93fefdfce957a1d29ab9832d3a1fa0a793b3f194d80beb54ab067035a06c2a5
Instruction ID: 96ce82ce95c8399cd71c063d7d3f1e2fcba2640722e6acc1547d9ad084a16825
Opcode Fuzzy Hash: a93fefdfce957a1d29ab9832d3a1fa0a793b3f194d80beb54ab067035a06c2a5
Instruction Fuzzy Hash: 831191766003058FC704EF79E4416AE7BB6FB88349B1080BAC206C7270DF395D02DB91

Function 018D50D0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c5224d84793e1dbbba1dd4ef26a0e8b76bd24fff087a39b0a69d8da295f669
Instruction ID: f4ffaccd9b911f0d77330d0e05c06694d47b1b657d754797d501af5ab9994bec
Opcode Fuzzy Hash: 14c5224d84793e1dbbba1dd4ef26a0e8b76bd24fff087a39b0a69d8da295f669
Instruction Fuzzy Hash: A611A171A10709DF8F91DB7998416FE7BF1EB84788B50416BC605D7250EB315A068BA1

Function 06563B78 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5344c58ba902079e76305668fc2e57a39ccc4db0dcba8a0ea3e86d91e957f9
Instruction ID: 4f5e8bd2561c63212f97caf00fd870253fa87864631d5e75bb5b40cdd3348dd2
Opcode Fuzzy Hash: 0d5344c58ba902079e76305668fc2e57a39ccc4db0dcba8a0ea3e86d91e957f9
Instruction Fuzzy Hash: A511E532904268AFCB92DFB5C9109EABFF1BF4921070485BBF499CB221E2318955DF91

Function 06560390 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4602cc46cb498e992118b56e75c143b4e9a06d355532449a241792e8f6eeeae0
Instruction ID: 60e249a1f3f9e7253a3a8c2e2fb3dd7bfb229af03c1a59e9436c124344b36b7f
Opcode Fuzzy Hash: 4602cc46cb498e992118b56e75c143b4e9a06d355532449a241792e8f6eeeae0
Instruction Fuzzy Hash: A311C631780220AFD745AB3DA158B2937E7F7D9201F0405ACEA06DB3A1CA799C49DB54

Function 018DCF3A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de439947df5535500e3c7d2c5f501727e18b3bff26fc49e25a13acd1fd15a30
Instruction ID: 877d222a114cc1d7c4d040a705fd5b485e95b40e506db300c26ef5b1a17da696
Opcode Fuzzy Hash: 9de439947df5535500e3c7d2c5f501727e18b3bff26fc49e25a13acd1fd15a30
Instruction Fuzzy Hash: 640156347046445F8B99EB7CD52856E3BE7EFCA15531100BDE10BCB3A1EE209D48CBA6

Function 06561CCD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bdb1a482bb3df1b2e420e7755ed25260b28522f3bf03bc0da9294b8c6b2bc0
Instruction ID: a77c5784f16930313525cf92915a651aa8c0d1c5ca5ec362388e66e750abad64
Opcode Fuzzy Hash: 48bdb1a482bb3df1b2e420e7755ed25260b28522f3bf03bc0da9294b8c6b2bc0
Instruction Fuzzy Hash: 0611EC35A04914CFE7A98B6A90046FDB3F6BB88248F20493AE8439B210DB319946CBD0

Function 018D2390 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e396c441186c2913970cc8836a925671c451b0dd19219a8838050aedd31e745f
Instruction ID: 7ff9ac85bfc0b1c055faf105c933810088e838c3d5f5d493c9c349846df68c13
Opcode Fuzzy Hash: e396c441186c2913970cc8836a925671c451b0dd19219a8838050aedd31e745f
Instruction Fuzzy Hash: 67113A7091435ECFCB288F64D585AAEBBB2FB49318F1044AED506E7350DB750A46CF51

Function 014CB1EC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3004977991.00000000014C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c2000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fc5c89882146f0ccc1f36c77b8e14e38b243bd541264041f5e5fb7ac01339b
Instruction ID: e50a9a334967aa3eda693d9c8f4b68773da8e780348af3871c5f397bd53eca1a
Opcode Fuzzy Hash: a1fc5c89882146f0ccc1f36c77b8e14e38b243bd541264041f5e5fb7ac01339b
Instruction Fuzzy Hash: 3111BAB5A48301AFD350CF09DC41E57FBE8EB88660F14896EF99997311D375E9088FA2

Function 018DE5B3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb2bfd7fde5394d760fe6f0760d21a2d92bcb752da1f9bf871a8f339b89b5cc
Instruction ID: 6b171a30813660b33296673577413abc68725dc1d21a16a15a017dbdc5c09e8e
Opcode Fuzzy Hash: bdb2bfd7fde5394d760fe6f0760d21a2d92bcb752da1f9bf871a8f339b89b5cc
Instruction Fuzzy Hash: 4B110471A093459FCB50DB789805B9ABFF0FF05314F0040AAD208E7291E7345949C7E2

Function 06561AD8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da61cde6fc1b077cf9497789b965cbfd2d6e84be0289a0c21b8adf5c9be0871e
Instruction ID: 3320efc7d7988c4a55784a91e9e2ad3efecefdeafaf4cf808ef82290f6784895
Opcode Fuzzy Hash: da61cde6fc1b077cf9497789b965cbfd2d6e84be0289a0c21b8adf5c9be0871e
Instruction Fuzzy Hash: 7201F2317016159FCB282BBB985956F76AAFBDC268701483AE406D7360CE35DC0187E1

Function 018D8DC8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514c8424489fc83c1e9d82d824f49bceeaca091ebd2496c9d7c0594ffabdf9e4
Instruction ID: c74612e39655b7f55d0f1038d9944861aa69e14532e3f8df81364132c05b34ab
Opcode Fuzzy Hash: 514c8424489fc83c1e9d82d824f49bceeaca091ebd2496c9d7c0594ffabdf9e4
Instruction Fuzzy Hash: BC01F930A043098BD7258B28C914B7FBBF19B4670CF14086DC006EB741DB75AE028FC1

Function 018D8DD8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7940b41aef9a0df266a059091e4465caacf020b88c010258cc4d0e2765e1d23a
Instruction ID: 83d7ede305f32fa750f885afd0587d3f57a4240480762cad5d94891492342d1f
Opcode Fuzzy Hash: 7940b41aef9a0df266a059091e4465caacf020b88c010258cc4d0e2765e1d23a
Instruction Fuzzy Hash: EE01F131A083088BCB248A18C904BBFFBF19B86718F14486EC10AE7641CB71AE058FC1

Function 018D5820 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2966cee61f2969c6bb57bef8da190f987d5cedb3ef7d2febb8f6dfa47811fdf6
Instruction ID: 6a1e68d91ba79b6cb282d15f8998cc808f729b1a6c79b19a224efe734981cada
Opcode Fuzzy Hash: 2966cee61f2969c6bb57bef8da190f987d5cedb3ef7d2febb8f6dfa47811fdf6
Instruction Fuzzy Hash: 3C118E35A00309DFDB10DF75D542AAF77B5FB49359F1040ABC601E6250DB369E00CBA0

Function 018DE749 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8f09bca3f89b959418529d264b907097e0c6e4267684a59f58ea6c3a8f624f
Instruction ID: da31d9c4727b8e7f6e4811b7b4ae668960ca855d42d765832e4447222ccee623
Opcode Fuzzy Hash: ca8f09bca3f89b959418529d264b907097e0c6e4267684a59f58ea6c3a8f624f
Instruction Fuzzy Hash: F6019E346043089BD7689A14CD54EBBBBEA9B84718F16486DD406EB740CB656E018BE1

Function 018DE750 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c367993fe5f7f0a3e06912d5fa86e55ea3bae195d04a771f1d2f2b20d21938
Instruction ID: 47327b474291afcfbb3953c35bc0b81d804ac7a1f632cefcecd34fc131efa413
Opcode Fuzzy Hash: 49c367993fe5f7f0a3e06912d5fa86e55ea3bae195d04a771f1d2f2b20d21938
Instruction Fuzzy Hash: C201DE35A04308CBCB649A18C944ABFBBF29F8431CF12486EC106EB640CB756E058BD1

Function 018D7EB8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b85c755b3baa87af92682625ff1231dda275b755e71e51ed51dd59351cf7237
Instruction ID: 23ae40aaa192bc00bf60b37690a9cba042c25a4b26bb2b7e9df13cd864fc2c19
Opcode Fuzzy Hash: 8b85c755b3baa87af92682625ff1231dda275b755e71e51ed51dd59351cf7237
Instruction Fuzzy Hash: 2301DE31A083089BCB24CB18D954BBEBBF29B8571CF1408AEC016E7B41CFB16E0587D1

Function 018D8A00 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6e17c4bf95228e364faf3aa2d3ac89b72afa58423ba2f8ae60b6e3d57aa6de
Instruction ID: c09eb04cc5805e2eed6a19a6776d780084e8b6911893112cbc9fcf33e0dddf8b
Opcode Fuzzy Hash: fb6e17c4bf95228e364faf3aa2d3ac89b72afa58423ba2f8ae60b6e3d57aa6de
Instruction Fuzzy Hash: 84015B36640708CFC7289B25D0949AA77B3FB993893154D2AD18797B50DF70EA06CB52

Function 018D5F10 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3760e2a6dc41e3970144d6ea57a491679850f7b0bbd6a532200caef251f8d7
Instruction ID: 3a9aa52f3bba1bd8908143a94df4cb87eb9e5330322ef859816784d97a42f9ba
Opcode Fuzzy Hash: fb3760e2a6dc41e3970144d6ea57a491679850f7b0bbd6a532200caef251f8d7
Instruction Fuzzy Hash: 6301B571A103098FCF60FBB598456EFBBB5AF54318B80497BD006CA140EF34960587D2

Function 018DCF48 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac9363d937e631d11c33668a9f442ab50afb43e87f9cce268f315c14aa6ecc0
Instruction ID: a1b7798c7ad0a48eacde54c3095ba6f479ed3e54ab6cc51e9211d79e4fe12357
Opcode Fuzzy Hash: 8ac9363d937e631d11c33668a9f442ab50afb43e87f9cce268f315c14aa6ecc0
Instruction Fuzzy Hash: 36011A347002044F8B98AB7CD22856E37E7AFDA2553114079E10ACB7A0EE209C498B96

Function 018D8A97 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8648bd4a38cbdba7b7009a538a210336c8ff6fbcc0336e5d4a81d4adb5ff7bb9
Instruction ID: 79585ee2ec779fdabd74ace13996e3c2dc3b82f4790ed04658123ad600b935ab
Opcode Fuzzy Hash: 8648bd4a38cbdba7b7009a538a210336c8ff6fbcc0336e5d4a81d4adb5ff7bb9
Instruction Fuzzy Hash: CC0164B67043019FC7149B78D094468BBA2EFD63983158C7ED18ADBB50EB70AC05CB22

Function 018D7EA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ebf143179b854ef8823da4bbf8de1dfea7678aadc50ed301cda8f1d041cc8f
Instruction ID: debb022e793e4e76f9a3bcea3aa2c3f576b56c883ecac0def0ee1dfed73a6972
Opcode Fuzzy Hash: d3ebf143179b854ef8823da4bbf8de1dfea7678aadc50ed301cda8f1d041cc8f
Instruction Fuzzy Hash: 7F019231A08349CBD725CB28C554BBEBBF29B8570CF1448ADD016EBB51CBB59E068BD1

Function 06560380 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd8de00373ad07e3df6f4dbced41e955e1967940c5487d26493c34ae46ad3bc
Instruction ID: a3e493f30a5c3f3964dacd7265fbfc9cee8ad1399d18742610e0ef4c70ea82d5
Opcode Fuzzy Hash: 6dd8de00373ad07e3df6f4dbced41e955e1967940c5487d26493c34ae46ad3bc
Instruction Fuzzy Hash: E201F531784250EFD3419B39E418A253FE7FB8A201F0400E9E546CB2A1CAB49C89DBA5

Function 018DE900 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c6e0541345076c92d590b9f81ee6f86ad0c0983b1259854eb4afb848517784
Instruction ID: 600358199c9b55b82b7ac52c942d46bb8d44c88b032f57f3506328f425f82a47
Opcode Fuzzy Hash: f5c6e0541345076c92d590b9f81ee6f86ad0c0983b1259854eb4afb848517784
Instruction Fuzzy Hash: 01014730204301DFC710A739E5188A977E7EF89258301497AE106DF320DF34AD0E8BA2

Function 018D1209 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d445fb8d91998c0bf37556ea63c0bc9cca5c53f7071ef5522e730ce4953fe2e1
Instruction ID: b312b4ed7f407497d81b8b2b735daddcee6172550ec1ed6b5eeb22660ae4c2aa
Opcode Fuzzy Hash: d445fb8d91998c0bf37556ea63c0bc9cca5c53f7071ef5522e730ce4953fe2e1
Instruction Fuzzy Hash: 47015E70304240CFC704DB68D0589A97BE6BF8A319B1500EAE106CBB71CB769D098B92

Function 018D05C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d123914cb65e02249cf140108ba8051a836b7e9250d7db03c92e6b4ad93c8388
Instruction ID: 8cdc59ee082d04622532a71a509f06c989ff93a0e0ddabb529983d3e03c98238
Opcode Fuzzy Hash: d123914cb65e02249cf140108ba8051a836b7e9250d7db03c92e6b4ad93c8388
Instruction Fuzzy Hash: 6DF0FF327002345B8648633D54145FE638BAFC9648B29482FD10ACB3A1CFB98C8303A2

Function 018DD578 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa8231b4116dbf9cb335948343e69b5bd09f1842790d09790f53c8e432fcf00
Instruction ID: 25bb99d9274896590aa6de49a901ea3abf040ac6420453edf83954374b61cd4a
Opcode Fuzzy Hash: 3aa8231b4116dbf9cb335948343e69b5bd09f1842790d09790f53c8e432fcf00
Instruction Fuzzy Hash: 0CF022B2308214A7CB1032BD8C91AAA679B9BD22787904B3AF11ACB7D4CE55DD0543B2

Function 018D5F00 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb56aff60ed1b98cd5b55124bcae0c33f66b46ea29e7a89b4fc9771b6fe52eb
Instruction ID: bc4e6422ecea7aa8e92c3cfb5dab08f3fabce35a97b82a523869aa84f64e5f0e
Opcode Fuzzy Hash: 9bb56aff60ed1b98cd5b55124bcae0c33f66b46ea29e7a89b4fc9771b6fe52eb
Instruction Fuzzy Hash: 1B01BCB19103069FCBB5AF7898159AEBFB4EB4531878009BBD115C6190EB348214CB91

Function 019205DF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005864893.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1920000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670d809567274a8e63b8d6c746ad6fae289f15a696a25bfe01cc29b7392bb8a8
Instruction ID: 8540afaf631909df8371dec405314af6e0420ceea4a4f68b48556ab3047490b8
Opcode Fuzzy Hash: 670d809567274a8e63b8d6c746ad6fae289f15a696a25bfe01cc29b7392bb8a8
Instruction Fuzzy Hash: 12018BB65097946FD7128B06AC41862FFF8DA86530709C4AFEC498B712D2257909D761

Function 018DE5D0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1373d79d4e1eda19c3b40a02e139a8bddf825d282bfaa2a908f300bc680b61
Instruction ID: 7f80352fc1fb301f40f7ebe74509eabe901f76072f6273a7c823f181701f0175
Opcode Fuzzy Hash: 6c1373d79d4e1eda19c3b40a02e139a8bddf825d282bfaa2a908f300bc680b61
Instruction Fuzzy Hash: 6F017C72A0020A8EDF50EBBCA8057DEBBE4FB88214F10413AD618D7240E7345A498BD1

Function 018D9311 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4728e8626742275e77ec06586d52137ad63a2b65240b400d571c0e73773655
Instruction ID: 851ec25fb67b49d5193e2470a55e35b512113802fb5472c9bf5f8e858bb35f45
Opcode Fuzzy Hash: ab4728e8626742275e77ec06586d52137ad63a2b65240b400d571c0e73773655
Instruction Fuzzy Hash: 10F0F631708214934714226D9845FAEB68B9BC627C7555B3AE11ADF7E4CE60AD0543A2

Function 018D05C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e685d6943dcf19860df6202d1fac824f93d94a2601c087a3bd463cc067a7b4
Instruction ID: 34863fc674de4a21aaa986c97ca31abdf4be8c60083f02edbe8699da9dc9e650
Opcode Fuzzy Hash: 87e685d6943dcf19860df6202d1fac824f93d94a2601c087a3bd463cc067a7b4
Instruction Fuzzy Hash: EBF090327001385B4648237E55546BF628B9FD9A48B19482FE10ADB3A5CFB99C4303E6

Function 018D6F67 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbaeb4aa53c138bee3dbad8a111bbc1b8e80b4e5a9f46dc40feda9e25c9d667
Instruction ID: 79f13701c1552d3f46be4d7f3cd18e2a8c205099b46056d54f4fc8fe6ecee01f
Opcode Fuzzy Hash: fcbaeb4aa53c138bee3dbad8a111bbc1b8e80b4e5a9f46dc40feda9e25c9d667
Instruction Fuzzy Hash: 080196B0A002058FCB50EB789911B9ABBF1FF48314F5000BDC608D7260EB349A49CBA1

Function 018D6F78 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f146fe5867a48b653d6a6f381fa80b610e2fb4023d5329809388cd24633d7d1
Instruction ID: e1c3d1277e50fee5252f330f3f4c2d3f9846cd9b4ecbc14b6ce256c8c40b8d8d
Opcode Fuzzy Hash: 4f146fe5867a48b653d6a6f381fa80b610e2fb4023d5329809388cd24633d7d1
Instruction Fuzzy Hash: C3014F71A002099FCB50DB699941BDEB7F4EB48314F50457AD608D3250EB346A498BE1

Function 018D8B27 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa8d7117a63eaf16335fe93eefb9f59ca0dbdde9586563eadbf7c2cbe139e03
Instruction ID: d095a80db79321a1b084fa5aee0b102213e7685962640e12d3d4d343fa0e8a46
Opcode Fuzzy Hash: 4aa8d7117a63eaf16335fe93eefb9f59ca0dbdde9586563eadbf7c2cbe139e03
Instruction Fuzzy Hash: 12F028B270830097CB00667848507E963875F933347654B7ED119CF7D0CE608D0683A3

Function 018DC8DA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db87a459231e64ab6957963952cdca4ece27fee2073fada0c64a79b7b5ca497
Instruction ID: e9b634495e9d47d0d57e877774b10fde6d053f660844dc122fb3074acc438e05
Opcode Fuzzy Hash: 9db87a459231e64ab6957963952cdca4ece27fee2073fada0c64a79b7b5ca497
Instruction Fuzzy Hash: 5AF06274E00209AB9B20AA79DC59A9FBFEDDB81251F404475E909D7251EB309900CBE1

Function 018D78F0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba22743d4ea6d42da4b3f7a8735d27efbe5353429d07d7e1ed455741d50b31f
Instruction ID: b3bcf62a31845d9ab57ce101fe7df1f3ba06bb377f034e2d807d1017f0aa08a9
Opcode Fuzzy Hash: cba22743d4ea6d42da4b3f7a8735d27efbe5353429d07d7e1ed455741d50b31f
Instruction Fuzzy Hash: C3F07832309351A7C700677C8891AAC37965F8623C3554BBFD11ADF7E1CE688C0A4322

Function 018D47F0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394bc415bbf98da32929eeba16ab79f91543c93090340d91504c1d276ae0446d
Instruction ID: d04fa388420d3b31916b8414f9a364ce7f993aee6e57b8cd6adc28c6e8625a8d
Opcode Fuzzy Hash: 394bc415bbf98da32929eeba16ab79f91543c93090340d91504c1d276ae0446d
Instruction Fuzzy Hash: A9F02B3231035097CA1556BA640136D33CA8BC479AF54007ED20BD7B90DD76D84183A1

Function 018D927E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4310af3dca96cdce1d36b2f965d04de7c59c117203d1bdc536d14ba9c8007956
Instruction ID: 46696ce5279ec44ff84a18560e30e1f4b6fdb930794d42eea2c96ab006828475
Opcode Fuzzy Hash: 4310af3dca96cdce1d36b2f965d04de7c59c117203d1bdc536d14ba9c8007956
Instruction Fuzzy Hash: 1201D131344204CB8664AB6ED0945BE77E3ABC539C348493EE14BDB754CF71ED0A8792

Function 018D9280 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5af7b0730fe466bf3a59f660748c08726f264298e388efa8acbaa34f9dca0fd
Instruction ID: 74eab539e8a37e6e3127503f18f842381f854a170c55efdd953c4cc398e401c0
Opcode Fuzzy Hash: c5af7b0730fe466bf3a59f660748c08726f264298e388efa8acbaa34f9dca0fd
Instruction Fuzzy Hash: 46F0D131344204CB8664AB6ED0945AE77E3ABC539C348493EE14BDB354CF71ED068792

Function 018D1218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e82e21b4d194c88b7cd8aa65218253b2c89866f0509563e4f5aab7b1d04bf22
Instruction ID: d64891f514d15b54579f00172c3a0476f432768e09be7dd2a7aa9b1da9b12f4c
Opcode Fuzzy Hash: 4e82e21b4d194c88b7cd8aa65218253b2c89866f0509563e4f5aab7b1d04bf22
Instruction Fuzzy Hash: 55016D70314114CBC608DB29C05CDADB7EABFC9719B1144AAE106CBB74CF769D0C8B92

Function 018D7900 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e88525f6c8ba4b3e1452fe63cdd200313e0af3deb05006a8ea032ba8838b41b
Instruction ID: 678d6c588bbccbf4a496f5c82b1bdc50690270284166f75fc930f52617231c89
Opcode Fuzzy Hash: 5e88525f6c8ba4b3e1452fe63cdd200313e0af3deb05006a8ea032ba8838b41b
Instruction Fuzzy Hash: 99F0E933308229A34B14677D8891ABE738B9BD623C7954B3AE11ADF7D4CE689D054373

Function 018DE879 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86232257da22b45088872a3a202a2f0b0f8cd0719b9bff610e06699323dfa42e
Instruction ID: 3c65646b7b9838fd47564f8a6e10ee4d650066a355fddbdda9dd19330ff5ac9a
Opcode Fuzzy Hash: 86232257da22b45088872a3a202a2f0b0f8cd0719b9bff610e06699323dfa42e
Instruction Fuzzy Hash: BFF06D34B002169BCB14FB75E986ADEB371FF88208B108965D6019F2A5DB74AD0587A1

Function 018D8FA1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d4ebbce78f42e6462a7d9b6654e10d7b841aa0980d6ef34dfb3ce694b5cb4c
Instruction ID: 1b8175897e8d698b04d59233f57d59bb78877331e574f87137260a0d68f43898
Opcode Fuzzy Hash: 09d4ebbce78f42e6462a7d9b6654e10d7b841aa0980d6ef34dfb3ce694b5cb4c
Instruction Fuzzy Hash: ACF08134F002169BCB14EBB5E986E9EB366EF88604F008979D6019B265DB74AD0587A1

Function 018D8B38 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91cc790a9d3618128ed697afd6e255bfd0ad5b183626f5c6fb603bcb43fe21d
Instruction ID: 4f4c91796e7f403359e28736f899ed7b34400f162b21c8a6fd8357f016489e74
Opcode Fuzzy Hash: b91cc790a9d3618128ed697afd6e255bfd0ad5b183626f5c6fb603bcb43fe21d
Instruction Fuzzy Hash: 79F0B472308215938B14767D8891AAE638B5BD62383554B3AE21ACF7D4CE649D0643A2

Function 018DE910 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c8970fca08abf24e6f64fce7a11b114cffe10ce6570d2d96151d2b12030e16
Instruction ID: 38b78fab0e9edbed0381087d33d56ba7a4c47853805cfffd26574870d3a8be9c
Opcode Fuzzy Hash: 47c8970fca08abf24e6f64fce7a11b114cffe10ce6570d2d96151d2b12030e16
Instruction Fuzzy Hash: 77F0FF30300201DBCB50BB38E0088A973E3EF892193014979D60ACB324DF35EC0E8BA2

Function 065627CA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d3e7f539818fe73933c7278e0356988cbc03ac661096239c21f3126f55b3db
Instruction ID: 18b2f532912650f8580ae88600207667ed3e38e4d4a7f92d173ff56b573ee51c
Opcode Fuzzy Hash: 84d3e7f539818fe73933c7278e0356988cbc03ac661096239c21f3126f55b3db
Instruction Fuzzy Hash: 85F02763E0C3605FF7AA01AA5C48BF51F44B790365F0949B7F49ACB292C8144E45C7F2

Function 018D69A8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a3e11cf65cd42086848aeee1c4fea9eea6c9d59d6d9f77cd6dea50483ffa63
Instruction ID: 4b53ae11828ae03c22a493fffea7d695a47a7b4cfe1099f6ae269868902c2012
Opcode Fuzzy Hash: a9a3e11cf65cd42086848aeee1c4fea9eea6c9d59d6d9f77cd6dea50483ffa63
Instruction Fuzzy Hash: 4DF0F031A0431D9FCB509776A8016FFB7A1EB89398F2005BAC54AE3211FB341A018BC2

Function 018D69B8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a712cc4023fbff4f4712f75482c78ff5494ec827366d5aa2e5dd0f7a30c2e09
Instruction ID: 696aaba228c9fe7cf9e4443bc027c0667a8c2503cb03f93c2875aefec8b30c56
Opcode Fuzzy Hash: 1a712cc4023fbff4f4712f75482c78ff5494ec827366d5aa2e5dd0f7a30c2e09
Instruction Fuzzy Hash: 14F0E231B0471D9B8B14A276A8105BF73E6A789398F6044B6C94AD3340FF246F0547D3

Function 018D65F0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c477023df77ad97cf71a6f5bee6925dd514d1b8c5413627aca2f2e22c52be82
Instruction ID: 831fb8b0546b1b9dc88c7fc58f5de39bdb379438d8ec1a84266fd2d9eabaf632
Opcode Fuzzy Hash: 5c477023df77ad97cf71a6f5bee6925dd514d1b8c5413627aca2f2e22c52be82
Instruction Fuzzy Hash: 7BF0F631E1431D9BDF104635A4102FE77E59B8835CF1000AAD906D7291FB355A058BC2

Function 0656274A Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbff110265b718c2995095d0b59f4fde57f2655ab58ee2b7944d39c18229ccd
Instruction ID: 295ec836a23a40cd08cd78162f4ccef9b1e09e91d17cb9ad3ed0584614e8219a
Opcode Fuzzy Hash: fcbff110265b718c2995095d0b59f4fde57f2655ab58ee2b7944d39c18229ccd
Instruction Fuzzy Hash: 52F027352052106F932192699820CBB379DDBC2120311886FF009CB741DE219D0287F0

Function 018D5DB0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bda2d8f658c581d20cf9e99d09160cf0ae17c5baa55a631b7930e55b6565d07
Instruction ID: 27690b63ed638278e8680a1a07144786778370c504b77c93dea517747e53e577
Opcode Fuzzy Hash: 8bda2d8f658c581d20cf9e99d09160cf0ae17c5baa55a631b7930e55b6565d07
Instruction Fuzzy Hash: 2AF06271E01215CF8B90EFB958055EFBBF6EB88224B10007AC408E3311EB348A018BD5

Function 018DB651 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2bebffec1871214bbc2cfd9b1e1a02e43b61f61925c909a6a1181797875fcdb
Instruction ID: 4130b4af50a021d347b9df21015dc794c60fe7ab28827ba4fbbe121d23a7646e
Opcode Fuzzy Hash: d2bebffec1871214bbc2cfd9b1e1a02e43b61f61925c909a6a1181797875fcdb
Instruction Fuzzy Hash: ACF0D13080524ADBC710EFA8E54989ABF74FB42208F4185AAE04097660DB346E1DCB91

Function 018D4788 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e47bc2170b941cdcdb5e115a16896d74bd4b7f03a0d634f016787741bc80c2c
Instruction ID: a21f2e082b55e9544ecbb46e4b9a28e0cc60adf44925dfa16ce3fbfce0724128
Opcode Fuzzy Hash: 6e47bc2170b941cdcdb5e115a16896d74bd4b7f03a0d634f016787741bc80c2c
Instruction Fuzzy Hash: 27F027313103158FC7526BF8B0112EE3BD0AF82359B1100B7D00ACBA62DB7A8C028782

Function 018D4699 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bc0a33f3fb83c7742be034c92c6e9b88b62d2fac363cfbc6deeb60f81f19d0
Instruction ID: 0232c7269570ed34d549c348a830e8c74ce90b61e83e0d199e49b8682b664a37
Opcode Fuzzy Hash: e2bc0a33f3fb83c7742be034c92c6e9b88b62d2fac363cfbc6deeb60f81f19d0
Instruction Fuzzy Hash: 5EF0BE30E0031A9FDB90CBB8AC45BAABBF8EB89210F20007BD60CD7251E23009048761

Function 06564980 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb91bf17d9533e0fbee38f2294bbef910fbe4caa7c3d5c5c2885805687418ad3
Instruction ID: 53dea549aa2ba40dd20fde6e668b20c590faf0e0a2b92b3e05d35aa5bc8aaf5a
Opcode Fuzzy Hash: fb91bf17d9533e0fbee38f2294bbef910fbe4caa7c3d5c5c2885805687418ad3
Instruction Fuzzy Hash: 32E068313052203FD611122A3C01FBF3B9EE7C2220B0440A7F502C7392C9255C0643F9

Function 018DB8F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b691b4dfe7c0f138a55faf25399b2ab054dbba52f8f7d90470f876be9963bffb
Instruction ID: 9d591deea6bc6450aa84530b048421057bf0761f48ee3de7c7d04692e6eae271
Opcode Fuzzy Hash: b691b4dfe7c0f138a55faf25399b2ab054dbba52f8f7d90470f876be9963bffb
Instruction Fuzzy Hash: E9F0547004938EEBC7109B28EC44CEABB14FB4532C3424956F405CA625E678AE0DD7E3

Function 018D8839 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f1380e99fcca22aabe2c131681445c1e2e9bf0be7866d650ba30a8e79da9dd
Instruction ID: 3a22a9f78545e3d1ce736c6a8491f575fa699aa712978ae999fdad057cfd00f9
Opcode Fuzzy Hash: d9f1380e99fcca22aabe2c131681445c1e2e9bf0be7866d650ba30a8e79da9dd
Instruction Fuzzy Hash: 1EF0B435A04308DFC700DB75E8878BEBBB0FF86308F008466D522DB251E6319705C791

Function 06561F18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d06be5d9967049dd03ab3db9506250dc3d7940876f989ecbb852c46038ed7dc
Instruction ID: 237cae407062eb9ee286dc17d751966b96a223e2d4345fc1b590f57fe69e293e
Opcode Fuzzy Hash: 8d06be5d9967049dd03ab3db9506250dc3d7940876f989ecbb852c46038ed7dc
Instruction Fuzzy Hash: F8F0A735209A804FD371D36DD4109B9BB66EBC156470585AFE04A8BB92DB229C0AC7F1

Function 018DB202 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a84d75db8500e847bf1df0c974e06353bded24b6a1b126e9f32bf0245257298
Instruction ID: 2c28ee94d1cadc996da60d6d4cf408b5c416515238d0b6fa427f292d2faf832e
Opcode Fuzzy Hash: 1a84d75db8500e847bf1df0c974e06353bded24b6a1b126e9f32bf0245257298
Instruction Fuzzy Hash: A7F03A70805209EBC711DBA8D945DAEBF70EB46248F4185A5E484A7220EB345E59CBA5

Function 018DBA78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07763c8ce1df1274eabedd19c3d419f78685dc2ac6410021ecef568342e04f37
Instruction ID: e17c9b31de0a74c2d32ae6d883d517eb861392ab0735c2c77ab848546af0b846
Opcode Fuzzy Hash: 07763c8ce1df1274eabedd19c3d419f78685dc2ac6410021ecef568342e04f37
Instruction Fuzzy Hash: E2F0E536A06364AFCB221668AC14DA73FEDE70A25230200A2FE09C33A1DD248C4487E2

Function 01920948 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005864893.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1920000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction ID: f69f0f63c0fce891ed035f6fc9fd93f8ba9fd68a4072fd4d9a8513db3215fc33
Opcode Fuzzy Hash: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction Fuzzy Hash: 3BF01D35204644DFC306CB04D940B16FBA6FB89718F28CAADE94907B66C737D813DA81

Function 06563B88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f36132c8478747553eeaffdefcb86d5b3be69927a89e27e20b6c711d025b271
Instruction ID: 7b8251477962a5224947af74ffed2482ff88dd4edbe4b0592b33be9602e2f68e
Opcode Fuzzy Hash: 8f36132c8478747553eeaffdefcb86d5b3be69927a89e27e20b6c711d025b271
Instruction Fuzzy Hash: 83F05431904119EFCB81DFB5C9009EDBFF5FF49210B0084A6F568D7261D6358660DB91

Function 018D60B4 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d8e0b2c86142067adeeb300ba540c4395ea0be2f27fc793427558f89252656
Instruction ID: abeb4e22f4dceff9af80714f3a579cfd45694913c830aade4954d648b5a6e50d
Opcode Fuzzy Hash: 69d8e0b2c86142067adeeb300ba540c4395ea0be2f27fc793427558f89252656
Instruction Fuzzy Hash: 45F0B771D5120E9FCFA0DFB8D84A5EEBBF4EB48314F10007AD119E2201E2354A118BA1

Function 018D56B9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd52ec7b9d5171b1f615fdb6ecce7477e80f5133d853d48d549d7ed7cc7957ce
Instruction ID: 352fa76365549e70709149828300eac2ae22aa9122ee24ed695760e749e8584c
Opcode Fuzzy Hash: bd52ec7b9d5171b1f615fdb6ecce7477e80f5133d853d48d549d7ed7cc7957ce
Instruction Fuzzy Hash: 11F06D32B002089B8B565A7DE80419ABBF9EF8A364F00007AD508D7261FB7149258B91

Function 06564A79 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0382fba4c53bb1ebf6e0c8c40c060462078d2780046d2ab644f317488831a2
Instruction ID: a316f0c6f5790ab36343ff023ab65e4f0b15db19e022bf630d50ee7466660dfc
Opcode Fuzzy Hash: 5d0382fba4c53bb1ebf6e0c8c40c060462078d2780046d2ab644f317488831a2
Instruction Fuzzy Hash: 11E020313152202FD34496749CD18BF779DDBD6524318859FF406C7291C5614C02C3E0

Function 06563978 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be430b298042d853a21fb1196cd1a66977150ecde48522232d07fb8053d0a98
Instruction ID: 0b4c6d57c6c36fad8fffb4cb92f1ba7aa2df43fe2d9abd11b7bae62cab8655d0
Opcode Fuzzy Hash: 5be430b298042d853a21fb1196cd1a66977150ecde48522232d07fb8053d0a98
Instruction Fuzzy Hash: 00F08C30218294CEA3914E5349108227765BF8124C3047A6AF48387A11DE65B801CFC3

Function 018D788F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ab3b6c5e87a46096b0d771cbe67d1b081def0131d16b4900929554175ad19e
Instruction ID: 79f72b6d1e2e3861cb74007cc3df889799e9cad5c8880f00378ccc59421a04bb
Opcode Fuzzy Hash: f0ab3b6c5e87a46096b0d771cbe67d1b081def0131d16b4900929554175ad19e
Instruction Fuzzy Hash: 0AE06535B412151BCB58B3BEA81839D67635FD0718F814179C106DBBA2DF208E068793

Function 018D5882 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9ce97e1fd6d83e67fb3cbadb0b39456c0159717b68a0ef166e69776f6a3293
Instruction ID: 6c84197692e0d626562454b8c947a0ed424757259a6868462d57c191b3cbc7b3
Opcode Fuzzy Hash: 9f9ce97e1fd6d83e67fb3cbadb0b39456c0159717b68a0ef166e69776f6a3293
Instruction Fuzzy Hash: A5F03031B042098BCB04ABB9EA166AE7371EB8836DB4181B7C517D6562EF209D058756

Function 018D6208 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc58b3b09a18c24342a2b0311bfe60fe579db9d77450e6ee73c3e9ec99d1b62
Instruction ID: 7d0c598c9ad9517cd98a68c33ef858f91490bbcb2ccc80d7cb2c8b7083b9099a
Opcode Fuzzy Hash: 9dc58b3b09a18c24342a2b0311bfe60fe579db9d77450e6ee73c3e9ec99d1b62
Instruction Fuzzy Hash: 06E068367402165BC6182268940276F738B8BE5710F20403FE506D7360ED724C0283A5

Function 06561F6A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fcd5e9142f1545001dbee6aac432a7f0a09f11ef6f0d26bdb18406d8295282
Instruction ID: 99d3185b0d810a275f8a505103ce653c1d5c3a9d7ef67509e45519f0e620f305
Opcode Fuzzy Hash: 31fcd5e9142f1545001dbee6aac432a7f0a09f11ef6f0d26bdb18406d8295282
Instruction Fuzzy Hash: FCE09A3020AB60EFE3F1122A64005B2B768BB8A2513004D6BF48BCB041DB759842C3F1

Function 018DC87F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1d9b0d1683fa0ecd75d7fedac6db994c5d5c2a8fb1ea9be35dc3876772d4a4
Instruction ID: ab7d285934b1134d9b59b80500f3f978092f666bc91d1c44aa80a14251fcf312
Opcode Fuzzy Hash: eb1d9b0d1683fa0ecd75d7fedac6db994c5d5c2a8fb1ea9be35dc3876772d4a4
Instruction Fuzzy Hash: E1F0ED316443704FC355ABED88256AA7BD29FA6260B04096ED08ADBF51CE328D01C7A2

Function 018DB668 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8ebe7b4fd41c863be60e4e4b59b006d03c94dc305a0830071f5a2fda7a0109
Instruction ID: 62404c74282857051be1241144e63a1e65d1349b1195c1704bd72b7dffd94173
Opcode Fuzzy Hash: 9d8ebe7b4fd41c863be60e4e4b59b006d03c94dc305a0830071f5a2fda7a0109
Instruction Fuzzy Hash: 60F08C3090020ADBC710EFA8E585C9EFB74FB4130CF408968E40067264DB34AE4DDF96

Function 01920606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005864893.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1920000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d91112e0d24936e77839d31f583a612ec7fe4775e0593ebb53177db50c24b9
Instruction ID: 105e4e496fa469ea11bc095cd0dc54137e568a6f3ec336840f86d183e8c7a380
Opcode Fuzzy Hash: e4d91112e0d24936e77839d31f583a612ec7fe4775e0593ebb53177db50c24b9
Instruction Fuzzy Hash: 06E092B66056045B9650CF0AEC41462F7D8EB88630708C47FDC0D8B701D635B908CAA5

Function 06562758 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2564288f8151bcd1b4c7b6e3fa4674843628651ad7fa85950f5b620f2761d98b
Instruction ID: 6f2c192a04dca87545538e6e5f96e01a270d04809172dc376f7e46ebd5901307
Opcode Fuzzy Hash: 2564288f8151bcd1b4c7b6e3fa4674843628651ad7fa85950f5b620f2761d98b
Instruction Fuzzy Hash: 8FE0DF352006109B5360E66AC410CAA73DAEBC1564340882EE50A8B740DF62ED028BE0

Function 06561F28 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49500116c466b802e138e8fbb57132eb19ced6b12f1855e1b3ad044c56c0d371
Instruction ID: a0a547756f8c787d081fefb56cca74916004127e65a80c2fe439b8d4ec8d56a3
Opcode Fuzzy Hash: 49500116c466b802e138e8fbb57132eb19ced6b12f1855e1b3ad044c56c0d371
Instruction Fuzzy Hash: F6E0DF31314A109B5370E79EC410CBAB3AAEBC1964300886EE10A8B740EF62EC02CBE0

Function 014CB23B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3004977991.00000000014C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14c2000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a94ec083810c12b5906780b52163937520132bc833a8bab4f08013915606e35
Instruction ID: 9e72a53c084995cfbc25a0275e156e9c0e636ecbe064011d3f795d99827be246
Opcode Fuzzy Hash: 4a94ec083810c12b5906780b52163937520132bc833a8bab4f08013915606e35
Instruction Fuzzy Hash: 3DE0D8F264120467D2508E069C45F62F798DB80931F08C56BED095B702E275B5048AF1

Function 018D47E9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d3946897300ca2e65ca4553a569d5084f1ce20e4696510118442e28568da30
Instruction ID: 7d0cdd0673399e4ef4474ef6919d09b090b6fe8cbcca275fb558ae2ff64a6920
Opcode Fuzzy Hash: 46d3946897300ca2e65ca4553a569d5084f1ce20e4696510118442e28568da30
Instruction Fuzzy Hash: A5E07D32310744ABC612426E504232533DAC7C9BDAF50007BE107D7B10DA329902C3D1

Function 018DBA88 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0719d19607c5de447e6061ea893f0b74a396e369b89538863c3f3d2b3901666
Instruction ID: d53e196e9fc3fd35130158fdbf38830c930780bda8fef64a8b34c127b07dce4b
Opcode Fuzzy Hash: b0719d19607c5de447e6061ea893f0b74a396e369b89538863c3f3d2b3901666
Instruction Fuzzy Hash: FEE0D835F11234CB8F2537ACA41866677D6E78D7923124576EE06C3755DD30CC048BD2

Function 018D6210 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f2211d40719c8244726f8a98bd57cbab7c1db29a80f89f87eae6c8f53e2e19
Instruction ID: 450ce53081a1845aec224d22655d62b0ffaf2a48393d2afb62235593fb63997c
Opcode Fuzzy Hash: 06f2211d40719c8244726f8a98bd57cbab7c1db29a80f89f87eae6c8f53e2e19
Instruction Fuzzy Hash: DAE0863534021A67C518626A5452B2EB38F8BE5B65F10043ED60ADB3A4DD765C0243A5

Function 06564309 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e374e0b94f3fe53f1304e08e2734f155fda5cb9520c8e538471d8eb22f323bf1
Instruction ID: b4f664023cbde49ca7f66b9e330e9e48c6705103dd73f4b281f96faa29a6ba64
Opcode Fuzzy Hash: e374e0b94f3fe53f1304e08e2734f155fda5cb9520c8e538471d8eb22f323bf1
Instruction Fuzzy Hash: 7EE04F2034D284CFF3F28617A41167A3BE4BB82215F49C997F04B8B553821549D6CBD3

Function 06563988 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1928204a730a21a3dc5f8f74415655ba83abd6296931d93b9b6f2f0d05eff4e9
Instruction ID: e42744e4b55a1c04e90a7419f6babd9e568c275e399390ed7b69c9d425d883fc
Opcode Fuzzy Hash: 1928204a730a21a3dc5f8f74415655ba83abd6296931d93b9b6f2f0d05eff4e9
Instruction Fuzzy Hash: C3E01A30219604CF67D45E538A10867726ABB8158D3447E2AF88347A10DE71F841CEC3

Function 018D65A1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dba5b620683464fce305dacc64d2c40e8484b7d26a5e8fbacf6cc8f8f8c06a1
Instruction ID: 7a0378c33014606898b6eb05255b11f77a9ba2baa8e26234a2af61bba96baaca
Opcode Fuzzy Hash: 1dba5b620683464fce305dacc64d2c40e8484b7d26a5e8fbacf6cc8f8f8c06a1
Instruction Fuzzy Hash: 4BE0683190C329CFC75027A8A0001E93BB08B51369764016BE609C71FCFA858E804B66

Function 018D9028 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0d767653ac826644996d69f3c9105b238728b0ad00f8a602c51bc55d51d252
Instruction ID: d49db8db35a3a0f87a4c6881de4b4baebc55af778b8d3ab65555d16665a08485
Opcode Fuzzy Hash: 1d0d767653ac826644996d69f3c9105b238728b0ad00f8a602c51bc55d51d252
Instruction Fuzzy Hash: A8E06D3150830ECBC610EB04F5448E4B715FB5030CB418822E40AC6A29D77AAF0C8B83

Function 018DB210 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71713c9ec82331c4ef221aa3fe9106d8e00707c0c836e847934775a99ccad3a7
Instruction ID: 671126df1a5ab1587aa30f5eeafcd5bb72022935d14f167abe12d5b33c46f28f
Opcode Fuzzy Hash: 71713c9ec82331c4ef221aa3fe9106d8e00707c0c836e847934775a99ccad3a7
Instruction Fuzzy Hash: 22E06D70800209DBC710EFE8E545DADFF70FB46349F4085A4E40063220DB346E19DB99

Function 06562798 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc68ce3a4c93666d3044cafc5d1ecf61269630c9a6818aca4a9e18a13081b568
Instruction ID: 508a5e473c3e7739b13c09e5a58008b3f455218f2d600efc292045958daf133f
Opcode Fuzzy Hash: cc68ce3a4c93666d3044cafc5d1ecf61269630c9a6818aca4a9e18a13081b568
Instruction Fuzzy Hash: C4E04F3010D740DF93618F629915CA2FF69FB0661270449AFE44A87512D775A940CBF1

Function 018DB262 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafe7e019571bd1ca0c2dd6e899bb81bdc63727e96cf898fd0329b7c7f7a23c8
Instruction ID: d7586587c17cc71c4a28115175b8238d2cb53568db7eaa6dd06decb2038c4380
Opcode Fuzzy Hash: bafe7e019571bd1ca0c2dd6e899bb81bdc63727e96cf898fd0329b7c7f7a23c8
Instruction Fuzzy Hash: 4AE0DF2054A388AFD711DBB8D408AAABF78EB43208F0509DA944493251CB295F18CBA6

Function 018DB900 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60a3578a5f922cec109d2d94fad9e9a0830ceacb9b41a63241fbd4d79608ec1
Instruction ID: f3dd8161ef48e586c902ddd30452617ebbafd2735af750aadbc34e6e80f8977d
Opcode Fuzzy Hash: a60a3578a5f922cec109d2d94fad9e9a0830ceacb9b41a63241fbd4d79608ec1
Instruction Fuzzy Hash: 1EE0ED7015434EEB8710DB6CE544C9DB355FB4532C3828926F4018A624F778BE0DDB82

Function 06564AC0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9bcd4cda6d2678a2f7768458d4f7c0622647d6fd955dbe748fea63b46b3944
Instruction ID: cb1406ef3e4507d30b0d26103eb709a3cce52074a761a439a23b4be37ed0c010
Opcode Fuzzy Hash: db9bcd4cda6d2678a2f7768458d4f7c0622647d6fd955dbe748fea63b46b3944
Instruction Fuzzy Hash: 4DE0C232A857846FCB61DB71A4544BD7FB9FFC222430141ABF4058BA72C7268D55CF11

Function 06564990 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e382924f45f908c7de6318fc61d56e69365af00406eff52b3f3176959783931f
Instruction ID: 02bd39c493c1128a03d734112c9a7ac3544d7199b934cba25d5d949576c6a386
Opcode Fuzzy Hash: e382924f45f908c7de6318fc61d56e69365af00406eff52b3f3176959783931f
Instruction Fuzzy Hash: 2DD02B3170022427DA10262E6805F7E33CFE3C4610F044429F207D7354CD766C0243F8

Function 018D5EC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ca4879b1c6901435c23f6bbac08ae5699225ca5a7aa2ecb3f6c58b721a0b26
Instruction ID: 62e44b5ab4f6c9b61a93b266573b275801157ae9e88e57528c8497c9c9a0b099
Opcode Fuzzy Hash: e4ca4879b1c6901435c23f6bbac08ae5699225ca5a7aa2ecb3f6c58b721a0b26
Instruction Fuzzy Hash: 03E0C2316A53148FCB94B77C44102FE77B59BA1B28F5049BFC00ACB251ED664B024381

Function 018D895E Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17969ff79cdd37c5bb837f49f84858310a35e67f1a0977a023785bddffc08aad
Instruction ID: eb94df8e70dc1ef105742376e7e1637308c8202c5df2d7f3391db4043c43e880
Opcode Fuzzy Hash: 17969ff79cdd37c5bb837f49f84858310a35e67f1a0977a023785bddffc08aad
Instruction Fuzzy Hash: 3EE01A7110830EEBC6109B58E445CA9B769FB4632CF418926E18286628D774EF0DDB43

Function 06563B41 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af23e2f400df0626f163b3f570461fe508b92310def5737509f5af472f8b6e67
Instruction ID: 9f0fa301f57aeda4496cd89f9b15b7f22a487f62eb43bc558140dc25184efc08
Opcode Fuzzy Hash: af23e2f400df0626f163b3f570461fe508b92310def5737509f5af472f8b6e67
Instruction Fuzzy Hash: EEE0C23030A2A01FE701963A3C047A63B5A8BCA310F1642DBF145CB1E7C5A45C0947B2

Function 018D65B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b481e3bb20c54d5b404c536d6cae3e613a2803cc16626b0660e0cde209f714d
Instruction ID: 1ac6e6f1b3fc15baf0ce3ded20afa43e7b586677fa65d3839a7f3a787475a7f2
Opcode Fuzzy Hash: 8b481e3bb20c54d5b404c536d6cae3e613a2803cc16626b0660e0cde209f714d
Instruction Fuzzy Hash: 12D05B3160822D87D75036D9A0046AA37A99750759BA5001AFA0AC72ACFE96CEC407EA

Function 018D8960 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d812b5dccd5b2ae1dc77f438abaaede04aba46934ee84af8afda12209f2d429
Instruction ID: 0bcaf7dead9fdea913283bada2fdf1253b22d2f79a52ed18b04b199984be0769
Opcode Fuzzy Hash: 9d812b5dccd5b2ae1dc77f438abaaede04aba46934ee84af8afda12209f2d429
Instruction Fuzzy Hash: C0E04F7110830EEBC610DB58E445CA9B779FB4632CF418926E1818662CD774EF0DCB43

Function 018D9038 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa75e71e9a39ef7a7c64f457375311a2c7aa7ff93f6c05075521d3fe87c00a3
Instruction ID: 7695ee96249cdb774c8ebd317420470feea473e9fd8497d922c5c11bfd4efb6a
Opcode Fuzzy Hash: 9fa75e71e9a39ef7a7c64f457375311a2c7aa7ff93f6c05075521d3fe87c00a3
Instruction Fuzzy Hash: C8E0EC3091830ECB8610EB18F584CA8B359FB5435CB40C922E406CA629DB79BF0D9B83

Function 06564A88 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c13bdf809392d96b30cf5c183b52fbc07f512eab68997a960d07da69c4198ce
Instruction ID: fb7bf266d2358f006654bba23d8a6007f9bdbee6c827fc054cfbc8ba7679f904
Opcode Fuzzy Hash: 2c13bdf809392d96b30cf5c183b52fbc07f512eab68997a960d07da69c4198ce
Instruction Fuzzy Hash: 1DD0A735304138275544E5BDD89187973CFEBD5568304889FE50ACB391CE73AC02C3D0

Function 06561F78 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d35ead54269f4d53b549cd0540a8b9d56e74c224efb08a0e29d59fa5ea29bd3
Instruction ID: 23b4eb7e091a576cf91ebc82ce78cb007c00c4662556028a5943d0d2f32760ba
Opcode Fuzzy Hash: 1d35ead54269f4d53b549cd0540a8b9d56e74c224efb08a0e29d59fa5ea29bd3
Instruction Fuzzy Hash: B3D01731219A20DFE7F4266F90005B2F2A8B7496967404D2AF44BC3104DFB2A881C3F1

Function 018D89B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a29f28458a5a526cd2fcbcc0e2559dd9fa729b9866895a870d29b7bac2c98fa
Instruction ID: 2ca6815f3c47d6d39a5e2192bc953ba64058f040d7b4e924754fec6aed3116e5
Opcode Fuzzy Hash: 1a29f28458a5a526cd2fcbcc0e2559dd9fa729b9866895a870d29b7bac2c98fa
Instruction Fuzzy Hash: 03E0C232205210CBC7855FF5F1492A93F32FB89299304096EE18ADB2A1DF3A9D1DDF42

Function 018D58D6 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d8ecbfb33594c2d7539272683b8c5b1d008a4edef4b323a62e80a41a7f2afa
Instruction ID: 0283c6e1802e8d5ccd9c2d47dbad29ca42996f84d1f88c0bd4982523be73c37c
Opcode Fuzzy Hash: 44d8ecbfb33594c2d7539272683b8c5b1d008a4edef4b323a62e80a41a7f2afa
Instruction Fuzzy Hash: 54D01231B0420C8B8B54A7BCA9195ECB771DB842397514577C11BD2552EF3156018756

Function 018D7A28 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff98b92c31badf4fbfe7ff324ec2701495876fa9ccc85f1c0ad4561256fb76e
Instruction ID: 84eba966ee2a1e6766a835c3d61dba9b64c85b8b27b0d80bfffe7ff82d2170a5
Opcode Fuzzy Hash: 2ff98b92c31badf4fbfe7ff324ec2701495876fa9ccc85f1c0ad4561256fb76e
Instruction Fuzzy Hash: 04D0C231009318CAD3358AF594007627BD95B0130CF08149E814A895118672E7848393

Function 018D016F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8291c9f43f2a945d6b1fd4f18bf7a346c03efbe7d1cba5e2c26185f67b5c04c4
Instruction ID: a19f6a3e028f77616c845ab7b60015fec1eb3bd7d921d12f09774893d7acafd4
Opcode Fuzzy Hash: 8291c9f43f2a945d6b1fd4f18bf7a346c03efbe7d1cba5e2c26185f67b5c04c4
Instruction Fuzzy Hash: 4CE017367517008FCB695B74E4590AC37B2EFAA21631144BBC00A87761EB3AC885CB01

Function 018D6580 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be2daf893e141b644ad00ca00d3d8631242d30d312165bb69d3f37d4db38ed6
Instruction ID: dda8e7447fb4502bb7c37451e3c6d33085134d8dc878de1062390ff6a4b0a753
Opcode Fuzzy Hash: 6be2daf893e141b644ad00ca00d3d8631242d30d312165bb69d3f37d4db38ed6
Instruction Fuzzy Hash: 1ED0237510C3414FC7521BB86C100DC3B30FD53AB23DA01DBD08CCA5F1E6680C019B21

Function 018D9096 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4c73b27484694a5c01bb368ccfbea57f1944fb1d6fa04f88dd3ffa10352bab
Instruction ID: ce87f69af4ea83b49524a091dc3b8e6ea99f5407e79c83711e14c1db115e0a57
Opcode Fuzzy Hash: 8c4c73b27484694a5c01bb368ccfbea57f1944fb1d6fa04f88dd3ffa10352bab
Instruction Fuzzy Hash: 4BE0863095C3558FC356EB34C45D4583B64BB013AC3050BA9C0618B5A5DB692A06C796

Function 014B23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3004920049.00000000014B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b2000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13851f62cae25d8c8f4082eadf93af384b8ff6a6455b60801c408bdd74c48dae
Instruction ID: 61cb38dc60560879db8b1888fbaf8c6e3d1959bf92da88ff6535042009a8db56
Opcode Fuzzy Hash: 13851f62cae25d8c8f4082eadf93af384b8ff6a6455b60801c408bdd74c48dae
Instruction Fuzzy Hash: 36D0C7392006904EE3168A0CC1A4FC63BA4AB60704F0A00FAA8008BB72C7A8E480C210

Function 06564930 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0f1df8b183edf2fef1eb78bff2f5818a22356d8853d311af2360a0f2e7c4fd
Instruction ID: 5350911df0a2bf41af04b7b233320cec17bd2118a4eec804fd8ba53a5b24e3e6
Opcode Fuzzy Hash: cf0f1df8b183edf2fef1eb78bff2f5818a22356d8853d311af2360a0f2e7c4fd
Instruction Fuzzy Hash: 93D0C9200882C7CEFB886A67E6097343AD9774121EF158522F26E87441EA55D84CE6FB

Function 065627A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efb81240f652910b18dbd95a4ac65c8fd40d1a2bca9a3b6ba9a5fb7fb1af882
Instruction ID: c96b002364ed3803f39d425b67fc51b922e98e4fcb1b348e76a311e61bfd9f63
Opcode Fuzzy Hash: 9efb81240f652910b18dbd95a4ac65c8fd40d1a2bca9a3b6ba9a5fb7fb1af882
Instruction Fuzzy Hash: 9CD01231219214DF93A45E67E504CA27769FB49B67B004D6EF04F87601EBB2BE40CBE0

Function 018D74D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: a55b664f1b0f86bfb715760de8b6ef160eac24a2fa82499beed0b4e8b8bfb2e1
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: C4D0423AA001048FD705CB88D5849DDFBF2EB88325F28C1A6D915A7251C732EE56CA50

Function 018D0650 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21df298a48bbcc9f2a8c37485c064a49d6139b521bdeec503733213a70d52678
Instruction ID: b29eaf69f5973a6f7cd2cc905d0bfc8d3848774f2c6b823f2d914ad6ba87d157
Opcode Fuzzy Hash: 21df298a48bbcc9f2a8c37485c064a49d6139b521bdeec503733213a70d52678
Instruction Fuzzy Hash: 44D0A5710C9344CFC3D10FB074140953731D7D331AB14447BD041C1432D9355552CB11

Function 014B23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3004920049.00000000014B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14b2000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75bf6bbad7897c4dea4b7b45fea1f2e119187969d0bc49ccea436ad21c5c2cb
Instruction ID: 5812b6b1cb4069241c4bbaf7800cb5df0c33c20ea811d34b128303e796a22a31
Opcode Fuzzy Hash: c75bf6bbad7897c4dea4b7b45fea1f2e119187969d0bc49ccea436ad21c5c2cb
Instruction Fuzzy Hash: BCD05E353412814BD715DE1CC6D4F9A3BD4AB54B15F0654EDAC108B772C7B8E9C0DA10

Function 018D6030 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629a8783ae12f9e9c123b81b1a67cace1c75a5075863f3404f0fcb7a31d7ef4
Instruction ID: eca145a4c1597c75977a858b7358297a228981854cf9e48b7a9ac82bfee0d233
Opcode Fuzzy Hash: f629a8783ae12f9e9c123b81b1a67cace1c75a5075863f3404f0fcb7a31d7ef4
Instruction Fuzzy Hash: B9D0A7340083458FCB724F2084040653B745E4234872140DBC809DF163F22ACD27CB12

Function 018D819E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9582de748af6f6c73df3a8837e7d880765ed403ffcc789f475875eec1ab14b
Instruction ID: 368c42903238a6ee80316c83f2c6314da9bc0ddcf9b683a093960da7bdc8e5c4
Opcode Fuzzy Hash: 7e9582de748af6f6c73df3a8837e7d880765ed403ffcc789f475875eec1ab14b
Instruction Fuzzy Hash: 8BD052B0A00A09CF8B91CF71D85049D73F0FB093243200B6AD8129B3A4E3385E09CF20

Function 018D5558 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf8f7ac0c6ff98c2674c4255fa667ce1fd019bac2f04fa3b996bee364dc0ab1
Instruction ID: ad27be29199bd7a3e4fc277f14cbb4da5eec7d104050d0ab35b73a5dd876ed74
Opcode Fuzzy Hash: baf8f7ac0c6ff98c2674c4255fa667ce1fd019bac2f04fa3b996bee364dc0ab1
Instruction Fuzzy Hash: 6BD0C9604443498FDBB25BB9640C368BF7AA700B0AF884153F04AC002ADB204650CB16

Function 018DFF25 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0fd1bc7a4f5c7c6d1ce8a03ea3009864a3dfc3ba117a623f80b252b3386983
Instruction ID: 48e1255bb012be01cd6d22e72020fad67db1593c08031b267fa0fa08fce4b8bb
Opcode Fuzzy Hash: 7c0fd1bc7a4f5c7c6d1ce8a03ea3009864a3dfc3ba117a623f80b252b3386983
Instruction Fuzzy Hash: 18D012372490484BD705DA69F4844EABB32FA943717284067D68155103DA31505A9B19

Function 018D02AC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fcae5db8917d798ed5eb584fb452def405a061f575f2144b96cf6dbecaec39
Instruction ID: 5d632425562989e5ab7c03d0204e8d0c1b87d3ad46d447ce8ad9fe802a671969
Opcode Fuzzy Hash: 96fcae5db8917d798ed5eb584fb452def405a061f575f2144b96cf6dbecaec39
Instruction Fuzzy Hash: C4D092755057448B87B5EB58E15889AB7A1EF85714702CC1EE49746A28C730AE818B42

Function 018D0180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2932ff39d894f71e152d7a5e2ede259174210231a2bea9993b4ea885127d4ab1
Instruction ID: 367c83b00cc6a80fe93ba7c83681adeeaa1d7ca07c33e3853abd81d1b36b2e10
Opcode Fuzzy Hash: 2932ff39d894f71e152d7a5e2ede259174210231a2bea9993b4ea885127d4ab1
Instruction Fuzzy Hash: 9CD01234201304CFCB282B74F11C06833AAAB8860A35108BED50A87364DF3AE880CB00

Function 018DC7A8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bf1662603f4b6bdb4d975b68a19640c4afcfcdad9cf31fc83c570e90f4045b
Instruction ID: 9978832864e5ce188cad59d0808f43e96e11e6f091395ade2210ec6c5211c1a8
Opcode Fuzzy Hash: 87bf1662603f4b6bdb4d975b68a19640c4afcfcdad9cf31fc83c570e90f4045b
Instruction Fuzzy Hash: ACB092312582084AEA51A6BDB84472637DD8740658F490066F60CC1A41E746E4A56480

Function 018D5E50 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2894b5b6d6976c475e3f32a44b7600c5d98e25a1925b77ac22efa0f9f35c33ed
Instruction ID: 8d06081ed597f239df08e2398355a5c1e73b1d5d97ed1679d5764064b35a8ba9
Opcode Fuzzy Hash: 2894b5b6d6976c475e3f32a44b7600c5d98e25a1925b77ac22efa0f9f35c33ed
Instruction Fuzzy Hash: 2AC02B702003098F8AA037B4250C13FB7ACCB8064A3C04023D00FC1013EF20F8000741

Function 018D0660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da64602839bb44fdc97d64f38b4c4088db708c16b89a83e4d4b1a7d75394c2fc
Instruction ID: eba3307bf3fc21b423fa712b4b9570e3bd2d9023a9da30088063af6feca9bef9
Opcode Fuzzy Hash: da64602839bb44fdc97d64f38b4c4088db708c16b89a83e4d4b1a7d75394c2fc
Instruction Fuzzy Hash: 20C02B7008630CCF829417B03808435730997C030FF60C037F00240022DE32E5E18911

Function 018D6040 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fd5b7d926ae3f5e6426d4a279b8320076233f3ed11344dab720738cbd6f81b
Instruction ID: 2e831eb9497163c9627a7e0438dca10d60a4fdf9fdf71ce9f44c19e6c944512f
Opcode Fuzzy Hash: c2fd5b7d926ae3f5e6426d4a279b8320076233f3ed11344dab720738cbd6f81b
Instruction Fuzzy Hash: 1DB0923020470ECF5BB12BA5A50C62B37AC9A447093500056A50ED1016FA14AA004666

Function 06564AD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6239048cd10d1f5e05136a3831589fc2e8f2e956efa856b447447c869ca67fd1
Instruction ID: 557b8f9e88c5a780843324e533578db7a849b73f9299723fcf8abe9b94210bc5
Opcode Fuzzy Hash: 6239048cd10d1f5e05136a3831589fc2e8f2e956efa856b447447c869ca67fd1
Instruction Fuzzy Hash: 3CB01221940E0D0B8BD077F6240802C73CC9BD00183C01011A80D43B399E25D4198391

Function 06561150 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9809f4e016e58f9e10dc1e544306c6ff2bdfb9e8dff637b3404cae68cf7d3a6e
Instruction ID: c2d02b201f3ea5d592c02a169adedf54e5391222fa5ef44bbc8bc902e20a30f2
Opcode Fuzzy Hash: 9809f4e016e58f9e10dc1e544306c6ff2bdfb9e8dff637b3404cae68cf7d3a6e
Instruction Fuzzy Hash: 22B09B70008D05DF52B1671BD9058A5B629FB451153C04D21F1014616557746D0486D6

Function 018D74FC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: e922401042239597bfc6a8fa6ca0b2e5ea5024186e9f6abecc88102b17741ff3
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: DAB092B7A04118C9DB008A84B4813EDFB20E790329F104023C31092000C23202648691

Function 018D5E4C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b64c6ab190958d2095e23448ac9277b4dfa2e24dbbdcd68baa6b77dbf74022
Instruction ID: 7f6d293c2a11b3f5c671135d425946d2cfc031994cf5150c03901fadc11bc642
Opcode Fuzzy Hash: 18b64c6ab190958d2095e23448ac9277b4dfa2e24dbbdcd68baa6b77dbf74022
Instruction Fuzzy Hash: 70B01270108B094B49D03750380973673288B40AC9B048013981FC5436E65086409682

Non-executed Functions

Function 018DA140 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49e4d5700eb538394a6ff245b6b517e28bfa64ed7dca6a9ebb8712c23edc20b
Instruction ID: 061b4f7b3a020cc68ab2cf38bb4f26d30cedcb8bdc125a727f06ee2f0828a531
Opcode Fuzzy Hash: a49e4d5700eb538394a6ff245b6b517e28bfa64ed7dca6a9ebb8712c23edc20b
Instruction Fuzzy Hash: 7681A032F112198BDB18DB7DD884A9EB7E3AFC4354F2A8079E405DB365DE74AD018790

Function 018D306F Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6964303c31c9ca46164212b0edfcf3b4d516a911521a1aeb9c7bbf52a36d79d0
Instruction ID: 0fec8d309306d3c4f40118d397d46926107206e469163c386343dfaebd152b14
Opcode Fuzzy Hash: 6964303c31c9ca46164212b0edfcf3b4d516a911521a1aeb9c7bbf52a36d79d0
Instruction Fuzzy Hash: BD517E76F111158BE714DB6DD980A9EB7E3AFC8314F2A8074E804EB769DE34ED018B90

Function 018DA207 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620427f09a74a479d049ecc3cda1f1a22dcb41a8ff0b8b53d4a648c000b4602a
Instruction ID: 92c8494f6add13aabbad619761763081dfb78d1d97dd30ded131f12487de7733
Opcode Fuzzy Hash: 620427f09a74a479d049ecc3cda1f1a22dcb41a8ff0b8b53d4a648c000b4602a
Instruction Fuzzy Hash: D6518032F111158BE718DB6DD881A9EB7E3AFC8314F2A8075E405EB769DE74ED018B80

Function 018DB3E6 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3005811908.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18d0000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae273b2ec652bfe67219923bcf3ddf0c097dc3444269c26d3c2a40c6e19cff8
Instruction ID: c18c8cb6c2978f2367d4a180d43c994ca2f356c83dd57652ae52bb054c29fcb6
Opcode Fuzzy Hash: 6ae273b2ec652bfe67219923bcf3ddf0c097dc3444269c26d3c2a40c6e19cff8
Instruction Fuzzy Hash: A5419DB4E012089FDB05DFA8E994AAEBBF2FB49304F108069E806A7364DB356D45DF51

Function 065644C0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31924b982b35d9f2a8149fde477121fb38f094202012d2dec6a792dbb36c707
Instruction ID: 6bcd9a2316a6d9f5760c8908d8ee9133cc2229e42006fe0bb855799bb9ea171f
Opcode Fuzzy Hash: e31924b982b35d9f2a8149fde477121fb38f094202012d2dec6a792dbb36c707
Instruction Fuzzy Hash: 48015771D162189ECB40DFBAA8486FEBFF4EB8A255F04906AE049E3241D7344644CFA4

Function 065644D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3011623786.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6560000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd5031395646c77dece331992f75737e8802d9f5b8f218c212fc41fb6c558c0
Instruction ID: c815fc66b1f4522cda826db63a43c1388964cb1984f9d3ba9f77a01bb98768a0
Opcode Fuzzy Hash: 2dd5031395646c77dece331992f75737e8802d9f5b8f218c212fc41fb6c558c0
Instruction Fuzzy Hash: 65011671D162188ECB44DFBAE8486EEBFF4FB4A255F04902AE048F3250E7344584CF68

Analysis Process: NYQbqD59m8.exePID: 5756, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	6

Executed Functions

Function 013523A0 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f`k, xrefs: 013529C2
f`k, xrefs: 013526C1

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k$f`k
API String ID: 0-3251778840
Opcode ID: d59a460fc7cd5170d0f762ece97dd103ca9618d1cccf5b7b8d49e1f404544885
Instruction ID: feae6d4e9f5835864ee2c726065e83d4bd29f90f5940796088cc7f1091e9b5c6
Opcode Fuzzy Hash: d59a460fc7cd5170d0f762ece97dd103ca9618d1cccf5b7b8d49e1f404544885
Instruction Fuzzy Hash: 3612D330A00219CFDB74DF29D498A6EBBF2BF45708F148629D816EB25ADB74DC42CB50

Function 01353850 Relevance: .9, Instructions: 861COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb47ef03bdf786efed0b332ab5a0c4e3bb9700a41286e6ec29d9c99b10b5fc57
Instruction ID: ee5ee48f798f50fb7a00f49b3d346e42032eccf562c452d9b7ddca772add371e
Opcode Fuzzy Hash: eb47ef03bdf786efed0b332ab5a0c4e3bb9700a41286e6ec29d9c99b10b5fc57
Instruction Fuzzy Hash: 6262F231A0421ACFCB15CF68C484DAAFBF6FF85748B1985A9D8099F616D731EC46CB90

Function 01352FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31f028536c322b6c106ca42c456bd92015de6391b82df67072a593d5585671c
Instruction ID: 6ce278fde7162fe57fb03ba4bca196b4514ee624d10e350f410e04d4cff26ad8
Opcode Fuzzy Hash: a31f028536c322b6c106ca42c456bd92015de6391b82df67072a593d5585671c
Instruction Fuzzy Hash: 6981BF32F111198BDB54EB68D890AAEB7F3BFC4758F2A8074E805DB765DE349C018B90

Function 0135068C Relevance: 2.6, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-Zjk^, xrefs: 013506A1, 013506A6
Zjk^, xrefs: 01350702, 01350707

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: Zjk^$-Zjk^
API String ID: 0-783871933
Opcode ID: 7e6ab6019f24a07f973e4b1366df0ff28205ef8e51e58c6f737179f04265d482
Instruction ID: 298dd1e758137c6f57eb4d53962cdf628de8edda2cb667cd53595434de282e58
Opcode Fuzzy Hash: 7e6ab6019f24a07f973e4b1366df0ff28205ef8e51e58c6f737179f04265d482
Instruction Fuzzy Hash: DC419D30214211EBC7387F74F81EA6D3AA6BFA17097145A79F802CB268DF758C058B92

Function 0121AA02 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0121AAB1

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f6648835c91aa1c2023979aa5735d3c746e4ef01ab69370a36291f7497378dec
Instruction ID: 4e1627ce3e8d22f175b1923331dbc90b8fa2e29d398965d4b68ab535ed3ed217
Opcode Fuzzy Hash: f6648835c91aa1c2023979aa5735d3c746e4ef01ab69370a36291f7497378dec
Instruction Fuzzy Hash: C631A272404384AFE722CF55CC45FA7BFFCEF16610F08889AE9858B652D264E949CB71

Function 051C00F6 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 051C019D

Memory Dump Source

Source File: 00000006.00000002.2130270488.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_51c0000_NYQbqD59m8.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f0e6fa11a82c271dcbd5d010a1cf90fc591b1660b338ce08233fe0449b341a6d
Instruction ID: 768e4b7e4ad6bdf934af42c596754421121764f9b5346686f8caf62efce1ff7b
Opcode Fuzzy Hash: f0e6fa11a82c271dcbd5d010a1cf90fc591b1660b338ce08233fe0449b341a6d
Instruction Fuzzy Hash: 76318171509380AFE711CB65DC45B9AFFF8EF16214F08849AE9448B292D375E908CB61

Function 0121AAF9 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,240C71DC,00000000,00000000,00000000,00000000), ref: 0121ABB4

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f7ee0e2c2929ef7402296bf9c02894fe228943e398bc9248b03a3406e3d8f715
Instruction ID: af290dae065cd8e0148e34813a3b1ab58ba6a5d799930ef54b98c06c74f58eea
Opcode Fuzzy Hash: f7ee0e2c2929ef7402296bf9c02894fe228943e398bc9248b03a3406e3d8f715
Instruction Fuzzy Hash: EC3191755093846FE722CF65CC44FA2BFF8EF16214F08889AE945CB293D264E948CB71

Function 0121AF50 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0121AFEA

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ce3b01d2b3d561610b16829b9f011003d5e3ba3bc6864eefeb738ccf1b63e31a
Instruction ID: 20b74ecccc1f00e5d9e0d2bed0d809685733e145502d09a791848bdfe63f4e3f
Opcode Fuzzy Hash: ce3b01d2b3d561610b16829b9f011003d5e3ba3bc6864eefeb738ccf1b63e31a
Instruction Fuzzy Hash: 4A2195714093C06FD3138B259C51B62BFB4EF87614F0A85DBEC84DB653D224A919CBB2

Function 0121AA32 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0121AAB1

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c6b1974685819ad915b2cef66717cb8eeb013892a80029b840d1099ca6fcc1dc
Instruction ID: 2640877b0399078b02d0d58a4f7f3a4055bf06fe37ba1ccf91e8a422b3e30264
Opcode Fuzzy Hash: c6b1974685819ad915b2cef66717cb8eeb013892a80029b840d1099ca6fcc1dc
Instruction Fuzzy Hash: F521D172500204AEE721DF55CD44FABFBECEF24224F04C85AEA458B646D774E9088BB1

Function 051C012A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 051C019D

Memory Dump Source

Source File: 00000006.00000002.2130270488.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_51c0000_NYQbqD59m8.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 32164dbb223c99c5fadbb4c6fa9e8cfa21bfb0def1938d6b528e80df7510fb82
Instruction ID: 670879da05cdf5675c0cb4d62c87e002a6dab9b7a54f33de1199ddab3cafa8c1
Opcode Fuzzy Hash: 32164dbb223c99c5fadbb4c6fa9e8cfa21bfb0def1938d6b528e80df7510fb82
Instruction Fuzzy Hash: 5021D071604200AFE720DF65DC48BAAFBE8EF18224F0488AEED458B641D375E908CA61

Function 0121AB3A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,240C71DC,00000000,00000000,00000000,00000000), ref: 0121ABB4

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 523cf893ffe3ed801f960899a968a80c223a373e9a66fd9d973c255a03706c47
Instruction ID: bc2b0e299e73bdee035bc05850db4c2314786bf880ad8ff04da99a2bd8abc968
Opcode Fuzzy Hash: 523cf893ffe3ed801f960899a968a80c223a373e9a66fd9d973c255a03706c47
Instruction Fuzzy Hash: D221A175501244AFE721CF59CC40FA6F7ECEF24610F04886AEA058B655E360E508CAB1

Function 0121A51F Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121A58A

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 45e156494da97d7361ce548f6ef19dee1830a202012915ceeed79181a26180d2
Instruction ID: 6019a792243bcb4529e421a863fcfca4ac53d105e47e99d528a6d2782bfe1686
Opcode Fuzzy Hash: 45e156494da97d7361ce548f6ef19dee1830a202012915ceeed79181a26180d2
Instruction Fuzzy Hash: FF117271409780AFDB228F55DC44A62FFF4EF4A310F08889AED858B563C375A518DB61

Function 0121B7CA Relevance: 1.6, APIs: 1, Instructions: 61
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0121B841

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 79c4d0e159080e054b76581884eb14ff33ee30d1b9c065a9cb1b5deb92f70992
Instruction ID: 0edb5e9074eca955132f227b8a2375c6aa81c87046af82569003ce377a6712e4
Opcode Fuzzy Hash: 79c4d0e159080e054b76581884eb14ff33ee30d1b9c065a9cb1b5deb92f70992
Instruction Fuzzy Hash: 51216D714097C09FDB228B25DC54A92BFB0AF17214F0984DAED844B163D265A958DB62

Function 0121BB4F Relevance: 1.6, APIs: 1, Instructions: 59
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 0121BBB9

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ecbafc907fb559dc45921b0912ba374478b77fc648fd645e0e65e79bf9f7da3a
Instruction ID: b3f2e83dbe8914906c349fa3c09d0deb915b5f82e37d57d3bb0bb868650bfeb3
Opcode Fuzzy Hash: ecbafc907fb559dc45921b0912ba374478b77fc648fd645e0e65e79bf9f7da3a
Instruction Fuzzy Hash: AC1126350083C0AFDB22CF25CC45B52FFB4EF16220F0884DEED858B563D265A808CB62

Function 0121BE05 Relevance: 1.6, APIs: 1, Instructions: 58
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?), ref: 0121BE70

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 44a5bbf288d74400f1ab76e5c362319a5f2fe49d4738f018eb81608115b6f807
Instruction ID: 9dee73b25c7dc3a0791040915f0b9791c6ea3ac370e9d513063c11135d99066b
Opcode Fuzzy Hash: 44a5bbf288d74400f1ab76e5c362319a5f2fe49d4738f018eb81608115b6f807
Instruction Fuzzy Hash: FE1181754093C0AFDB238F15DC44761BFB4DF47624F0984DAED844F263D2656808CB62

Function 0121B71E Relevance: 1.6, APIs: 1, Instructions: 57
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0121B78A

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4bc45b0b23b0c7d92e143eb4c63d2b9e2283c27bb55c65c1033deffe0a23ebce
Instruction ID: c7a342dd2f354bc37581e2a8a44a1dd8b1ffa9547e094c499c8438287bc8658c
Opcode Fuzzy Hash: 4bc45b0b23b0c7d92e143eb4c63d2b9e2283c27bb55c65c1033deffe0a23ebce
Instruction Fuzzy Hash: 2B11A232408380AFCB22CF55DC84A52FFF4EF4A310F09889EED858B562C375A418DB61

Function 0121BEB4 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0121BF0C

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 6ad57be7dc462d959e0556d5e50963ba03c0cbfffda472d5afec01fe245525bd
Instruction ID: b17e85e48eb0953edf40b3872600f6b5ec9bbcd16f8528cbd17eecbd81b59e7f
Opcode Fuzzy Hash: 6ad57be7dc462d959e0556d5e50963ba03c0cbfffda472d5afec01fe245525bd
Instruction Fuzzy Hash: C21191716043819FDB21CF29DC84B56BFF8EF46220F0884AAED45CB256D275E848CB61

Function 0121A75B Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0121A7BC

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d16c21ffe6a70304ed1373862ca5a544aa3cd6f98cdbde8979f60a07b6f50c31
Instruction ID: dc898541a336c5988b3f19de7a4fae8a017c670e3814261db0e02f3fdb0a2849
Opcode Fuzzy Hash: d16c21ffe6a70304ed1373862ca5a544aa3cd6f98cdbde8979f60a07b6f50c31
Instruction Fuzzy Hash: 7011BC714093849FDB22CF25DC84B52BFB4EF02220F0984EBED458F253C279A948CB62

Function 0121A8CC Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0121A926

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 726d57f2abd8c32a8bacec8bdbd057255317ff816bc2c09b075dbbf194a93c7d
Instruction ID: 2e2f204c19347994c426d84d53fa53ebb84b199ec503990758eb0171f317be21
Opcode Fuzzy Hash: 726d57f2abd8c32a8bacec8bdbd057255317ff816bc2c09b075dbbf194a93c7d
Instruction Fuzzy Hash: 4B118E75409784AFC722CF15DC85B52FFF4EF56220F0984DAEE854B263C275A858CB62

Function 0121BED2 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0121BF0C

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: a82340db34f6614b10d2960c0f7fda2b1fcd8e0601b4e40d65ff566822f4f351
Instruction ID: 21f61593be64f4d5d3e8b88f6fa8fb49cd358f511fa46becc28684c84fa605a3
Opcode Fuzzy Hash: a82340db34f6614b10d2960c0f7fda2b1fcd8e0601b4e40d65ff566822f4f351
Instruction Fuzzy Hash: A4019E71A102019FDB20CF2AD885766BBF8EF10220F0884AAED09CB646D675E408CF62

Function 0121A546 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121A58A

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 282b747c565301cace957ded7ef20eafba000f3c47a4bd00b62022d36034437c
Instruction ID: e64eb5bf1d3bc85b749c80bc8c21037118aed77dc1fa447c4d7669cc1f8f64f1
Opcode Fuzzy Hash: 282b747c565301cace957ded7ef20eafba000f3c47a4bd00b62022d36034437c
Instruction Fuzzy Hash: 0301AD32904640AFDB21CF55E944B56FFE0EF08320F08C8AAEE494B616C375E018CF62

Function 0121B746 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0121B78A

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 2ebfc1f8becd35d84ff7e2c7f14a54e50b4848c0df7f380dfb451cf04fbdb414
Instruction ID: 4d53b4c7b72761fd08cce6c2a071acd92c8d7cef641cea13fcd903dd55cfb243
Opcode Fuzzy Hash: 2ebfc1f8becd35d84ff7e2c7f14a54e50b4848c0df7f380dfb451cf04fbdb414
Instruction Fuzzy Hash: 1C016D325006049FDB21CF55D984B66FBF0EF18320F0888AEEE454B626D375E419DF62

Function 0121AF9A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 0121AFEA

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 46e4bf0c9387f8ba6675ad178bb85d0ef4242f443d3ec9789bda360fcd9813cd
Instruction ID: 4e6fb731e8de83879da1b6828521f7efee81db56a043a8fbacb6748aecd94ff4
Opcode Fuzzy Hash: 46e4bf0c9387f8ba6675ad178bb85d0ef4242f443d3ec9789bda360fcd9813cd
Instruction Fuzzy Hash: E801D671500600AFD310DF16CC86B66FBE8FB88A20F148159EC089BB41D731F955CBE5

Function 0121BB7E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0121BBB9

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 86b08e1df1fac281ad00c368c5ed04cd029bf5e83a1c648e566f126b58641911
Instruction ID: 89102ce4cb366d7449b63820cc6f196ce70fa8002780541fc164052d21b30f1c
Opcode Fuzzy Hash: 86b08e1df1fac281ad00c368c5ed04cd029bf5e83a1c648e566f126b58641911
Instruction Fuzzy Hash: 9101B1355106009FDB31CF1AD985B66FBF0EF14220F08C4AAED454BA6AD275E558CF61

Function 0121A78A Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0121A7BC

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 252f78f259e84e3fc0271bf35216f67574fd43393ca250d7508c751d592829aa
Instruction ID: 9aec48dba261158d0c5b5dce4340d6c0b7f5c5eaca9ddaa9a18ea145fc092fd1
Opcode Fuzzy Hash: 252f78f259e84e3fc0271bf35216f67574fd43393ca250d7508c751d592829aa
Instruction Fuzzy Hash: 1D01A2755152409FDB20DF19D985765FBE4EF04220F08C4AADD098F646D379E544CFA2

Function 0121B806 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0121B841

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cfc27eba6738d356549105153318ce1c102e79b6812990501cea7f6495d31ffa
Instruction ID: 30a7f3fade563076db3c56dbb17637570377cb91bcb7c996ff1e8ad063b4e930
Opcode Fuzzy Hash: cfc27eba6738d356549105153318ce1c102e79b6812990501cea7f6495d31ffa
Instruction Fuzzy Hash: F901BC314002009FDB21CF1AD884B62FBF0EF18720F0884AAEE450B626C275E448CFA2

Function 0121A8EE Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0121A926

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 04d35a447cd1768602b6f33c0b07bdbef5aeb5d710559b9ee8c2ea638dcfe69b
Instruction ID: e60692243130731f9ca026daf9fdb34e5776eb8e1ce87b8e7afaaca42eb8ca25
Opcode Fuzzy Hash: 04d35a447cd1768602b6f33c0b07bdbef5aeb5d710559b9ee8c2ea638dcfe69b
Instruction Fuzzy Hash: 8501AD394116409FDB21CF0AD985B52FBE1EF15320F08C4AAEE460B656C3B5E448CF62

Function 0121BE3E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0121BE70

Memory Dump Source

Source File: 00000006.00000002.2129396249.000000000121A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_121a000_NYQbqD59m8.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2459b3857456c72814f62a85d23a35869baa626084e9b5e4044f78690635d681
Instruction ID: 235d0998db7c7766257f0fd9bd3f47d073696d2bd2f2d4bd56ad1fc369adbc93
Opcode Fuzzy Hash: 2459b3857456c72814f62a85d23a35869baa626084e9b5e4044f78690635d681
Instruction Fuzzy Hash: E8F08C359146409FDB20DF0AD985761FBF0EF14220F48C4AADE094B756D2B9A448CEA2

Function 013520D0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 0135230F

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 81610c85864b456468168b5c7989d709d1540e6f9ae72a8682ee2ccdc92c5bfd
Instruction ID: e2f7e4994373acd7f60cf7e85eed0b87fa8a47cb20083c3b9f2f34045a311888
Opcode Fuzzy Hash: 81610c85864b456468168b5c7989d709d1540e6f9ae72a8682ee2ccdc92c5bfd
Instruction Fuzzy Hash: 1C719B34A04209DFCB94DFA8C445ABFBBF5FF85748F11806AD9029BA65D7309E41CB92

Function 013525DE Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

f`k, xrefs: 013526C1

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: 24075eab90279e5c7a73d12ca910639c48f4c96c5a4e6de273728790dd013f40
Instruction ID: e81cd58954ffb7f9758143701638a7767cd70c51e65de4ad4ed18ba7cf7e21d7
Opcode Fuzzy Hash: 24075eab90279e5c7a73d12ca910639c48f4c96c5a4e6de273728790dd013f40
Instruction Fuzzy Hash: 07318E70A00209CFDB74DF69D548A5EFBE2BF49318F11D629D4049B259CBB89885CB41

Function 013512A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d441e1fd1e66aed1ca1af40df583a3c0fc6a0e5fa640ed509f67fe506d50472
Instruction ID: f7a54192c457b3a299886531c318f5ee04c08473d8a6530102ca691e86f098de
Opcode Fuzzy Hash: 3d441e1fd1e66aed1ca1af40df583a3c0fc6a0e5fa640ed509f67fe506d50472
Instruction Fuzzy Hash: 6422E634A00609CFC764DF24C590A6AB7F2BF48308F148AA9D85A9BB56DB35EC45CF41

Function 013509A0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b503bb9520e950c6ebd8b9d21e65acad2e424b24fe1785a163465e512b63cf
Instruction ID: bab3319afde8316a2f7fa1de6511cf47cb2213e88f1737b75b41e90ea4f5b365
Opcode Fuzzy Hash: 79b503bb9520e950c6ebd8b9d21e65acad2e424b24fe1785a163465e512b63cf
Instruction Fuzzy Hash: 9E51E231B04219EFCB199FB4D894AAEB7F6EF44708F108469E906DB655DB31DC06CB81

Function 013502E8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7896d47a50b2bdc192116536bfbad3e4b3a49cc67c76d6c8f19d99f140adde
Instruction ID: f55e7556dc277861ef976f662ee676734e6cbef659c4a9f19ffb240d329c68d2
Opcode Fuzzy Hash: 6c7896d47a50b2bdc192116536bfbad3e4b3a49cc67c76d6c8f19d99f140adde
Instruction Fuzzy Hash: 5D51C170A04205CFDB59DF28C150BAE7BF2AF89718F148469E906AB761DB36DC05CF91

Function 01350BC0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dc1261db94546882e8a78961399266f0ebe3866d98d66f18d90043e674388e
Instruction ID: 58d2042630dd769c251fa8863ed857bb031b40fcdc114488df96be39a004b43e
Opcode Fuzzy Hash: 87dc1261db94546882e8a78961399266f0ebe3866d98d66f18d90043e674388e
Instruction Fuzzy Hash: 7741B831B042148FCB599B78C414AAE77EAAF86714F1580AAFD06DF761CE729C068791

Function 013502DC Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc9ae28350d83944b301f7a3980f6e30c496a41afd4bc7a026a61e2dd3c74d9
Instruction ID: b7edc4f22c7ca68bc2a10b57f98dd6076c1b56564a95f98b7fdf47f8efead3e2
Opcode Fuzzy Hash: 7bc9ae28350d83944b301f7a3980f6e30c496a41afd4bc7a026a61e2dd3c74d9
Instruction Fuzzy Hash: 96419170A00208DFDB59CF68C150BAE7BB6EF89718F144469E902AB7A1DB72EC44CF51

Function 01351298 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26722bf70f6d0c40a2324fdd3001e5b51af60620ee9fbef641ebc8ac11e8e58
Instruction ID: 13e6677a49cda1e9b95fe7c696c7b21d85ac2ec1feebcd1cd8cbd782b8804049
Opcode Fuzzy Hash: b26722bf70f6d0c40a2324fdd3001e5b51af60620ee9fbef641ebc8ac11e8e58
Instruction Fuzzy Hash: E6414874A04219CFCB64DF68D854BADBBB2AF49208F0045EAD80AABB55DB309D84CF51

Function 01350006 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767b96de5e104b784b3a59331588a757619626fb146f0d6965f4b32b326e6189
Instruction ID: f315114ad110908f4ed57890c42f02f5df52878e1dac42d23bccefb68b33ed8e
Opcode Fuzzy Hash: 767b96de5e104b784b3a59331588a757619626fb146f0d6965f4b32b326e6189
Instruction Fuzzy Hash: DA31817150C3C5DFC756EB70982886D7FB1BF52204B46499AE881CB69AEB39DC05C713

Function 013521E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa311c07a3e7b9ddbd3a4314a9ca8080e50a798a587b6cf2067e7bcf397835f
Instruction ID: a1e4d998a0987035b07c1bf9fd17507d8287c72477016af6a6ec65893734555c
Opcode Fuzzy Hash: 3fa311c07a3e7b9ddbd3a4314a9ca8080e50a798a587b6cf2067e7bcf397835f
Instruction Fuzzy Hash: 02315A34A08209DFCBD4DFB4C145AAEBBF4BF05748F1081AAD8029BA61D7359A45CB92

Function 01354270 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22a89947220073e9ac9183a94c35af3268b246139af69a24bbc38635534672e
Instruction ID: 19378d26b98f675a17e7d67700fd2999fa23ba08dbb85249f41d546eff204fbc
Opcode Fuzzy Hash: f22a89947220073e9ac9183a94c35af3268b246139af69a24bbc38635534672e
Instruction Fuzzy Hash: 58115C31A002198BCB6CEBB49414ABF77AE9B85648B51053BC80787A55FF34D85487A2

Function 0136088C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129692814.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1360000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fd69c82ed5be34c094232931748e75200434fa9d944f0b387448728e29f258
Instruction ID: 856d9be6b32b39ed7355999d0cb842274197253c989ad669b6930aab2165c819
Opcode Fuzzy Hash: 85fd69c82ed5be34c094232931748e75200434fa9d944f0b387448728e29f258
Instruction Fuzzy Hash: EA11D530204284DFD319CB14D541B16BBDAAB8971CF24C9ACF44947B57C77BD803C691

Function 01360855 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129692814.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1360000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f807f988dca3fac27fdd5c26bb53576bc8affc449afedae972787deb25ed8c7
Instruction ID: df7111d523664b547ddbf3e5d3b369bea525ecece06ce2cd95bd2be07a2f6740
Opcode Fuzzy Hash: 5f807f988dca3fac27fdd5c26bb53576bc8affc449afedae972787deb25ed8c7
Instruction Fuzzy Hash: 37215E3110D3C08FD717CB24C950B11BFB6AB47218F19C6DEE4854BAA3C33A9806DB62

Function 013505C0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583df26fd3d9f6ceccba1461cd5799f8a72e99196386ea0bd10958d634fbb257
Instruction ID: 996f65c41cef5575170522e1dc37b6efcfd4f51fe5f2e5115a70a0457ea9eec9
Opcode Fuzzy Hash: 583df26fd3d9f6ceccba1461cd5799f8a72e99196386ea0bd10958d634fbb257
Instruction Fuzzy Hash: BC01F4323101385B8609673944255BE33CB9FDAA58729082FE006DB395CF6A8C4303E6

Function 01351209 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ebadb17631e4550c6cc273de809d93c2cfce59a7f172467644a09245de2539
Instruction ID: 12d73068b6b2a67ba0a3baf8d76fdede919ebd62587c294422267de420f5922b
Opcode Fuzzy Hash: 01ebadb17631e4550c6cc273de809d93c2cfce59a7f172467644a09245de2539
Instruction Fuzzy Hash: A1015E30314154CFC7489B78D018E6D7BEAAF8665872500BAE806CFBB5CF758C098B92

Function 013505C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89903d3f5e88fda18bd5058cbd14c4b49119bfc1ca10e173b4c36ec74e1c15e
Instruction ID: b9e3744a64341cb49b6291f604075cd1dba79100a7bd599b0f43fe7c1c5996de
Opcode Fuzzy Hash: c89903d3f5e88fda18bd5058cbd14c4b49119bfc1ca10e173b4c36ec74e1c15e
Instruction Fuzzy Hash: 5DF09022710038578648677D55256BF62CF9FD9A58729482BE00ADB395CFAA8C4303E6

Function 013605DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129692814.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1360000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f9f8c255261049d6f3bb07cf623697b6292d17d422c2baf39573277e273de4
Instruction ID: 530427fd90f92c21d0e2f8fcd1670dab31a529e479f5c15132472cc8dbef6809
Opcode Fuzzy Hash: b8f9f8c255261049d6f3bb07cf623697b6292d17d422c2baf39573277e273de4
Instruction Fuzzy Hash: 1201DB765497805FC3118F15EC40853BFF8DF4723070988AFEC488B712D125B948CBA2

Function 01351218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e2ad321ce7758c0f8176d133d6d11288520bdf687d4a473c83a8e401b6905b
Instruction ID: 7de91154895e3ea0a24a4be3a8f8578c99e9a109b77b54a8dfe3c03260b0386b
Opcode Fuzzy Hash: 83e2ad321ce7758c0f8176d133d6d11288520bdf687d4a473c83a8e401b6905b
Instruction Fuzzy Hash: 47011D70314014CBC758AB68D058E6DB7EAAFC9A5871540AAE806CBB65CF759C098B82

Function 01354261 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fa603333488e6780cf5e134d670f991491e2c989523e4766a7d37c33b65183
Instruction ID: 5bafc275a396d8a1bdd4be0e7ee0cf32712223feca20fde4ec6187683fec4c9b
Opcode Fuzzy Hash: 14fa603333488e6780cf5e134d670f991491e2c989523e4766a7d37c33b65183
Instruction Fuzzy Hash: F8F0273150C3589FCBA96F70A8098AE7FBCEF86598341057BD806C6812FA3981858391

Function 01350918 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c119e6feb6a2585ee79d7663e311bb9bec8bbd6c3e6f92cc1164503e79e8363e
Instruction ID: f2a287b1e74845804b633cb2cd680b25270d1c37d4bf476aaef07932e2e39454
Opcode Fuzzy Hash: c119e6feb6a2585ee79d7663e311bb9bec8bbd6c3e6f92cc1164503e79e8363e
Instruction Fuzzy Hash: 11E0E532E0521C9BEBA85AF498159EFBBBD9785B58F004933EE0793618DA72580542D2

Function 01360948 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129692814.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1360000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction ID: da4bb426f8c116028b5a83cd753b359cb9e52c316175b9866f20f6f7a794ae87
Opcode Fuzzy Hash: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction Fuzzy Hash: 16F01D35104644DFC306CB04D941B15FBE6FB89718F24CAADE94917B66C737D813DA81

Function 01350916 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64d1ea297fd06b5e4d1e230a7d169c79bfa1c1353d6a8c8d632df35fedc3818
Instruction ID: eb941dc9b6cc75acc7c0a1c29ff46d6b8bc7da69e7faf3c26ffd74670fa05461
Opcode Fuzzy Hash: d64d1ea297fd06b5e4d1e230a7d169c79bfa1c1353d6a8c8d632df35fedc3818
Instruction Fuzzy Hash: 26E0683090931CABE7A81AF48825DAF7FBD4B86B48F000837BD0397718CDB248028292

Function 01360606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129692814.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1360000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c038d6af3f47d115d313fb5a6441af89c5dfadab14efa3f4c54939baa5723de5
Instruction ID: 37709fb37b1eb5fc232c467e254f5a373a3269a217270d0e754673f1db08e676
Opcode Fuzzy Hash: c038d6af3f47d115d313fb5a6441af89c5dfadab14efa3f4c54939baa5723de5
Instruction Fuzzy Hash: E8E092B66006048F9650DF0BEC81452F7D8EB88630708C47FDC0D8BB01D635B508CEA5

Function 0135016F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0aeea4fd6fb1c1a8ea043cd346cfb59caaa4f425aeb7f20257dd84592a44b45
Instruction ID: 7dca20b80c13ec6766742fa0fa607bc4e85c040e23cb11e5199c3ca143eeace0
Opcode Fuzzy Hash: d0aeea4fd6fb1c1a8ea043cd346cfb59caaa4f425aeb7f20257dd84592a44b45
Instruction Fuzzy Hash: 49E05E762053449FCB292B70F06D0BC3BA5DB4A20670408BED4528B35ADF3AE992CB04

Function 012123F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129381650.0000000001212000.00000040.00000800.00020000.00000000.sdmp, Offset: 01212000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1212000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e109c033cb599d40d8edb3d8ce258bc99a2c44ece0410780aeb27b2e2b17d9c1
Instruction ID: fa8eaffe444e32fba267fecf78c3d33eab8a5807775cf252a267fda278d7ff0f
Opcode Fuzzy Hash: e109c033cb599d40d8edb3d8ce258bc99a2c44ece0410780aeb27b2e2b17d9c1
Instruction Fuzzy Hash: C3D02E792406D28FE316CE0CC1A4B853BE4BB60704F0A00FDAC008B767C728E480C200

Function 01350650 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97b91e438349477da1bfacf567ec04514ec03225336a37704af9ecd2da08f6e
Instruction ID: 21ea525e4be85e343ee0c86a690484c8618a0e16cf05ea89ef7725574a7af34c
Opcode Fuzzy Hash: f97b91e438349477da1bfacf567ec04514ec03225336a37704af9ecd2da08f6e
Instruction Fuzzy Hash: 03D0A7700CE384DFC3D94FB0A8244AD3B26DBA3329714447AF44185432D63B9892CB22

Function 012123BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129381650.0000000001212000.00000040.00000800.00020000.00000000.sdmp, Offset: 01212000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1212000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d544115143a613f5e0ce4b60c5b79b1800e979991d2adb3528ff9682998c8369
Instruction ID: 7245572fb18b9bb769c0a106f765973e72b735f9a9afbba7e345525b95c855db
Opcode Fuzzy Hash: d544115143a613f5e0ce4b60c5b79b1800e979991d2adb3528ff9682998c8369
Instruction Fuzzy Hash: EED05E353402828FD715DF0CC6D4F993BD4AB60B15F2644ECBD108B766C7A8D9C0DA00

Function 013502AC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec403d457b3b5e15fc9d06333ff560d1f883ffbfc1e03b022b09b217f79d2eb0
Instruction ID: 6404d65dd5db74cd68e20d4bd314cc20fc6a4bce4e49f5c5dc7ee839ef04111c
Opcode Fuzzy Hash: ec403d457b3b5e15fc9d06333ff560d1f883ffbfc1e03b022b09b217f79d2eb0
Instruction Fuzzy Hash: 0AD05232004608ABC3B88B58E108C9AB3B0FF81B143018C0EE88702E08C731BC408B01

Function 01350180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4ae85b4215d13eba7d0d5b7f4336e59d9169fc899c022f289d80a42ff5d436
Instruction ID: 3cb837caa4bc97fe75bcc754a80f8cf0561cc2e72a58a9e15044af9e3d70f5a5
Opcode Fuzzy Hash: 2b4ae85b4215d13eba7d0d5b7f4336e59d9169fc899c022f289d80a42ff5d436
Instruction Fuzzy Hash: 68D0C9352013048BCB382B70B11C46833A6AB486063000879D80646345DF3AD891CA00

Function 01350660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2129676502.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1350000_NYQbqD59m8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06287faac44dc5882c5bf84e5c7de77fdb49fc373304068e4601f11e4daad8c
Instruction ID: dee45de2737324f128b2d6bec3df1d1fad78c5d5ef2561bb3c94d30e3fae4eb1
Opcode Fuzzy Hash: a06287faac44dc5882c5bf84e5c7de77fdb49fc373304068e4601f11e4daad8c
Instruction Fuzzy Hash: 08C02B3008B20CCAC3AC1AB0280CC3D730CD7D171D720C036F801004118E33F4E18571

Analysis Process: dnshost.exePID: 5320, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	6

Executed Functions

Function 00F223A0 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f`k, xrefs: 00F229C2
f`k, xrefs: 00F226C1

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID: f`k$f`k
API String ID: 0-3251778840
Opcode ID: 2bff17647ff2b9a81906579c610e6509af1ea7ed921a65be7702dcf192d69d32
Instruction ID: 05d0eb9852575c616f9db86121c2e9af272fd133b5e781af882956d9bb863ce7
Opcode Fuzzy Hash: 2bff17647ff2b9a81906579c610e6509af1ea7ed921a65be7702dcf192d69d32
Instruction Fuzzy Hash: F312DD31E00225DFC764EF28E9846ADB7F2FF84314F64856AD016AB265DB389D46EF40

Function 00F22FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b792944c4a2a0e9664f440fddb2a66536ede0aebea463e042f1483e2fecf9e
Instruction ID: 2f23f6668f34b1274309d73644c1c556f9a2eb43d078ea88bf1840c638b01b0b
Opcode Fuzzy Hash: 59b792944c4a2a0e9664f440fddb2a66536ede0aebea463e042f1483e2fecf9e
Instruction Fuzzy Hash: 1381C272F111259BDB14DB69E880AAEB7E3AFC4314F2A8075E405DB369DF38DD019B90

Function 00BDAA02 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00BDAAB1

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4afe24012b45ff406b74f0ce08e5623ed4eb35ddab84779a96acbaca0be31572
Instruction ID: 48546e609245eb5ad0ed99d24d9e0da8e4c3fec947fc598b859a9fc28e1bca56
Opcode Fuzzy Hash: 4afe24012b45ff406b74f0ce08e5623ed4eb35ddab84779a96acbaca0be31572
Instruction Fuzzy Hash: 0C31A271504384AFE7228B51CC45FA7BFFCEF15310F08859BE9858B652D264E909CB72

Function 04DE00F6 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04DE019D

Memory Dump Source

Source File: 00000007.00000002.2132986171.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4de0000_dnshost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 17d2bfc15917addf9f386473601dcbe1e37c5a4f337d5a394c6849c0aa6f44f2
Instruction ID: 963f696873c573806d8b9e56de25e1689eb4657e48cba4e0601bce3fc61c3970
Opcode Fuzzy Hash: 17d2bfc15917addf9f386473601dcbe1e37c5a4f337d5a394c6849c0aa6f44f2
Instruction Fuzzy Hash: 2C317E755093806FE712CF65DC45BA6BFF8EF06214F08849AE984CF292D365E909C761

Function 00BDAAF9 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4F5C48FF,00000000,00000000,00000000,00000000), ref: 00BDABB4

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 578ae484ffe4437ab6b9af6339def72d720ec6da5413fee6c6cd04b8d5b246d7
Instruction ID: 7dd11966e0449a03b3d03b5bb1d1ff80c182edfebac65c9a4052db3bab527673
Opcode Fuzzy Hash: 578ae484ffe4437ab6b9af6339def72d720ec6da5413fee6c6cd04b8d5b246d7
Instruction Fuzzy Hash: FC315E755093846FD722CB61CC44FA2BBF8EF16714F08849BE9458B252D264E949CB61

Function 00BDAF50 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00BDAFEA

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6e14756df28046e7c79fd72f86e3cbd977ff020d98ecf42dd66b3a9b7226f3be
Instruction ID: 5ac16718a3a0e65177a8e2e0ad64a522e271b1255524032b28cbf9b6ff7b8740
Opcode Fuzzy Hash: 6e14756df28046e7c79fd72f86e3cbd977ff020d98ecf42dd66b3a9b7226f3be
Instruction Fuzzy Hash: 6321A4754093C06FD3138B259C51B62BFB8EF87614F0A81DBE884DB693D224AD19C7B2

Function 00BDAA32 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00BDAAB1

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 27e1335d75648590a3d8f3aa309d98b952d74ac31534c22da6b4a404fa2e3c02
Instruction ID: e8c184c736995edd5120ee2b8bb53330fc85c0970e8fee5d7171a244bb3f7a31
Opcode Fuzzy Hash: 27e1335d75648590a3d8f3aa309d98b952d74ac31534c22da6b4a404fa2e3c02
Instruction Fuzzy Hash: 3621BE72500204AEE7219B55CD84FABFBECEF14324F0485AAE9058A651E734E908CAB2

Function 04DE012A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04DE019D

Memory Dump Source

Source File: 00000007.00000002.2132986171.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4de0000_dnshost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 775e18d1f4720d2fabab35d8d33f055e5b9763002f1fc5bc8b2da00201aff5a3
Instruction ID: 939a9f8f1934f77ec9fca5c92a1f2e212dd7b0bfe54150e3f829e4304cadcf8d
Opcode Fuzzy Hash: 775e18d1f4720d2fabab35d8d33f055e5b9763002f1fc5bc8b2da00201aff5a3
Instruction Fuzzy Hash: 8121B071604240AFE721DF66DD45BAAFBE8EF05224F04846AE949CF641D3B5F508CB71

Function 00BDAB3A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,4F5C48FF,00000000,00000000,00000000,00000000), ref: 00BDABB4

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ee20475878fe3afc95de425d36c16c8981e49051efb9dc66d2255fd1e6cba770
Instruction ID: 73913619ed1ff481602852dd9fdb7d5a900703e86d0aec9d178b626f93eb1cca
Opcode Fuzzy Hash: ee20475878fe3afc95de425d36c16c8981e49051efb9dc66d2255fd1e6cba770
Instruction Fuzzy Hash: 12215E75600204AFE721CF55DC84FA6F7ECEF14720F1484ABE9458B751E764E909CAB2

Function 00BDB7CA Relevance: 1.6, APIs: 1, Instructions: 61
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BDB841

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ca08967aa7c356c80b7afeb6211bcef17183cd2cdd3576bc6e882fc1e8ad90fc
Instruction ID: 0eb572478030eb64ca7104cebf8ab64413f590ac6d5dc467b50be9271aa1af38
Opcode Fuzzy Hash: ca08967aa7c356c80b7afeb6211bcef17183cd2cdd3576bc6e882fc1e8ad90fc
Instruction Fuzzy Hash: 0721AE714093C09FDB228B21DC50A92BFF4EF17310F0E84DAE9844F263D265A918DB62

Function 00BDA51F Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BDA58A

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 87da8b144879399c351c541804649ec5434c7105950f080544cea24cc6ab6394
Instruction ID: f6d1f88c3c9d7ae497351c3233aed3c17a59a150cdd2a2610d6dfae1dadffc16
Opcode Fuzzy Hash: 87da8b144879399c351c541804649ec5434c7105950f080544cea24cc6ab6394
Instruction Fuzzy Hash: A9117571409380AFDB228F51DC44B52FFF4EF4A314F0884DAED858B652D375A418DB61

Function 00BDBB4F Relevance: 1.6, APIs: 1, Instructions: 59
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BDBBB9

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7a8bb3fdf68575a704f4a5a3441f3ff8b5f3ff9c1695083f91a99379a73974d3
Instruction ID: d1cce93f75353a0a863173eeb8154f298905a2a114cd4e434742703ec7e18df2
Opcode Fuzzy Hash: 7a8bb3fdf68575a704f4a5a3441f3ff8b5f3ff9c1695083f91a99379a73974d3
Instruction Fuzzy Hash: 2411AF755093C0AFDB228F21DC45A52FFB4EF16220F0884DFED858B663D265A818DB62

Function 00BDBE05 Relevance: 1.6, APIs: 1, Instructions: 58
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?), ref: 00BDBE70

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 23bbe85e91e317cf49cae203514bd2a6742fea3a023e1de4a19cc5a7fc64e146
Instruction ID: 56e9f2482976571409fec7a8de64d9518b6ffcb68b84758242f4541d3bbb5347
Opcode Fuzzy Hash: 23bbe85e91e317cf49cae203514bd2a6742fea3a023e1de4a19cc5a7fc64e146
Instruction Fuzzy Hash: 771151754093C0AFDB128B15DC44B61BFB4DF47624F0984DBED854F263D2656808CB62

Function 00BDB71E Relevance: 1.6, APIs: 1, Instructions: 57
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 00BDB78A

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b7ee23c730b41f6c05ca2b4877fdb1da5cf7e6f603d7ff4d5689ef5ab60102f0
Instruction ID: b08251b07f7b5725785fa3f4751bc52656ab22ea4fea1e72a1f7de35f1f22f5d
Opcode Fuzzy Hash: b7ee23c730b41f6c05ca2b4877fdb1da5cf7e6f603d7ff4d5689ef5ab60102f0
Instruction Fuzzy Hash: 8E117F75508380AFDB21CF55DC44E52FFF4EF4A320F0988AEE9858B662D375A818DB61

Function 00BDBEB4 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00BDBF0C

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 0e9cc574e01d9a7306418c2bb91d9df8be07a02c8acf0989d8dcfadc74e89478
Instruction ID: 8727f8a6b10c20366abdfa156da433aa0c92627a8b8af38b3aa56e54ea87f755
Opcode Fuzzy Hash: 0e9cc574e01d9a7306418c2bb91d9df8be07a02c8acf0989d8dcfadc74e89478
Instruction Fuzzy Hash: E4114F716053809FD721CF65DC85B56BFE8EF46320F0984EAED45CB252D274E848CB61

Function 00BDA75B Relevance: 1.6, APIs: 1, Instructions: 52
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 00BDA7BC

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4950103d096ee8fe692f7ba93bce5b5e50ff1b0cff3a7725c5edaaee28a638b8
Instruction ID: 3a3706290a2816f4f93ba33822c5a58f8b789a2138a8a3ef9bbd65190cb81400
Opcode Fuzzy Hash: 4950103d096ee8fe692f7ba93bce5b5e50ff1b0cff3a7725c5edaaee28a638b8
Instruction Fuzzy Hash: 09116A758493849FDB11CF25DC44B52BFB4EF42324F0984EBED458B253D279A848CB62

Function 00BDA8CC Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00BDA926

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a21d8e84112ac98d7cf0f65998b71897abc8f8b148733f8ba6ebbc72d1e92193
Instruction ID: 206694b5d0c03cdc3d29ada3c2c1eca6f35f157d33ecc4fa3753de53c3049821
Opcode Fuzzy Hash: a21d8e84112ac98d7cf0f65998b71897abc8f8b148733f8ba6ebbc72d1e92193
Instruction Fuzzy Hash: 9411AC71408780AFC721CF11DC89A52FFF4EF06320F0984DAE9854B262D279A808CB62

Function 00BDBED2 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00BDBF0C

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 400f50e8b451c3a350c329e026cc065061e2e46694c5e67e3551e737167535f1
Instruction ID: b30b723a0f73a7e14064486e46e6a022ca5a23603ea2f51531a07440d542ba1c
Opcode Fuzzy Hash: 400f50e8b451c3a350c329e026cc065061e2e46694c5e67e3551e737167535f1
Instruction Fuzzy Hash: 7B014075A042419FDB20DF2AD985B66FBD4DF04320F0984EBDD45CB756E774E804CA61

Function 00BDA546 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BDA58A

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d3e1b7f9cc8a8ed1efb05cf48e301e2874bfcaea613604c39ee6b3159c103819
Instruction ID: 3eded6c72904ed045a0ad1cf61f8f7b72168bd7cd70eb53c2d398dbc115dc237
Opcode Fuzzy Hash: d3e1b7f9cc8a8ed1efb05cf48e301e2874bfcaea613604c39ee6b3159c103819
Instruction Fuzzy Hash: C7016D365006409FDB21CF55E984B56FBE0EF18324F08C8AAEE494A656D375E418DF62

Function 00BDB746 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 00BDB78A

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: cfc136f924136ae56c8760dd31614a8152fe675beb6fb8298f96aaa1fdf2337d
Instruction ID: e45672cf6f0ccf53b678af5bae975131b332047261c69cc932823af25276dd67
Opcode Fuzzy Hash: cfc136f924136ae56c8760dd31614a8152fe675beb6fb8298f96aaa1fdf2337d
Instruction Fuzzy Hash: D4016D36500640DFDB21CF55D984F56FBE0EF48720F0988AEEE4A4A622D375E818DF62

Function 00BDAF9A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00BDAFEA

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4b704fc48671768a138590a8177236d5a520a1c05ba1d3acca0e1a9ee092731f
Instruction ID: ee9eb4bcc07ad31f8cba6750a12f3ffd5bdc4397d8aaf39c4080d294d78ae4f4
Opcode Fuzzy Hash: 4b704fc48671768a138590a8177236d5a520a1c05ba1d3acca0e1a9ee092731f
Instruction Fuzzy Hash: 6201D671500200ABD310DF16CC46B66FBE8FB88A20F14815AED089BB41D731F955CBE5

Function 00BDBB7E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BDBBB9

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 893aa359183f7f64aff2959e957ec6049c5029e4fb7d504d8e45cad10a19728b
Instruction ID: 6694698eaecf01066c2fe5b572cb76fdd6f73ffc892cda4ee4da976e0755a19f
Opcode Fuzzy Hash: 893aa359183f7f64aff2959e957ec6049c5029e4fb7d504d8e45cad10a19728b
Instruction Fuzzy Hash: 17019E35500640DFDB208F16D984B66FBE0EF04320F0984ABED464A766D375E418DB61

Function 00BDA78A Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00BDA7BC

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4aaa99e0d716b8de54b45177919098553eea5bd51cb5baf5d27b03f2e248361a
Instruction ID: f859315bb78375432c4b9b40053368e97d084fdf84aea10c9920810e0395fbf9
Opcode Fuzzy Hash: 4aaa99e0d716b8de54b45177919098553eea5bd51cb5baf5d27b03f2e248361a
Instruction Fuzzy Hash: C0018B759042409FDB20CF15D984762FBE4EF04320F08C4EBDD098B746E379A808CAA2

Function 00BDB806 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00BDB841

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 825a272ec75f7166da18702ba60c1b3c92fb19523cdf3d8d21f2b0b1e7450090
Instruction ID: 0ad5bffca071f3d007097ba5d68ef7e3343ed9fb00983ddc5ffbe3f0e36d78c6
Opcode Fuzzy Hash: 825a272ec75f7166da18702ba60c1b3c92fb19523cdf3d8d21f2b0b1e7450090
Instruction Fuzzy Hash: 3E017C35800640DFDB208F06D984B65FBE4EF04320F0984AEED454B766E376E418DBA2

Function 00BDA8EE Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00BDA926

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ff9d1ca86b4c57b7f8e6ce684d3ecb1c5e9e12ddaad089d71610d37f0ac0c537
Instruction ID: 84b8779eeed00cf5ff2a34dbcdfb56ec5554157bc5c54ecd607b01635c5b1039
Opcode Fuzzy Hash: ff9d1ca86b4c57b7f8e6ce684d3ecb1c5e9e12ddaad089d71610d37f0ac0c537
Instruction Fuzzy Hash: CA01AD358006409FDB208F06D985B52FBE4EF05320F09C4EBDE460B752D379E808DB62

Function 00BDBE3E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00BDBE70

Memory Dump Source

Source File: 00000007.00000002.2131982865.0000000000BDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bda000_dnshost.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: cb1dabfd17fae7e2210895d3df66b339a33df34da3c711559447437c5e019898
Instruction ID: 4c15db3980033440493c85f3ec99cb11c5be98ed749a81b6a2d331a883add587
Opcode Fuzzy Hash: cb1dabfd17fae7e2210895d3df66b339a33df34da3c711559447437c5e019898
Instruction Fuzzy Hash: E5F08135904240DFDB208F06D984BA1FBE0DF04320F09C8EBDE054B756D379A408CAA2

Function 00F220D0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

r*+, xrefs: 00F2230F

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 817cc51b478b27a10adbe0ebc58776398b8d8324651fba765efd6cde381db98f
Instruction ID: 4df873a3e75cf422c8993c2e234d98b3057028ff27a46f554a022d4e93714a02
Opcode Fuzzy Hash: 817cc51b478b27a10adbe0ebc58776398b8d8324651fba765efd6cde381db98f
Instruction Fuzzy Hash: 1671A031A04265EFDB94DFA4D485ABEBBF1FF45300F20806AC502DB6A0DB359E45EB52

Function 00F225DE Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

f`k, xrefs: 00F226C1

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: 607e225e0259e022915d991e408cfdd6d2224a03c9eed39410f40ffeb762765c
Instruction ID: dab58ee613997c96d0ac4d9aba13f48a7592f37eeade5455f9f298d0e093c9bc
Opcode Fuzzy Hash: 607e225e0259e022915d991e408cfdd6d2224a03c9eed39410f40ffeb762765c
Instruction Fuzzy Hash: 4A31CA31E00249CFDB60EF64E98865AFBE2BF84328F10C569C004AF265DB789989DF41

Function 00F23B6B Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec6dcb2132d708b0bb872f08fb175db77fc97ddfd9206de98b3ce15df6c1980
Instruction ID: d0981c67550d255734db0e8451714c803e61a1e3c53b991591bda51c9c9f5ecf
Opcode Fuzzy Hash: 8ec6dcb2132d708b0bb872f08fb175db77fc97ddfd9206de98b3ce15df6c1980
Instruction Fuzzy Hash: BF12E271A00215CFCB15CF68D9849A9FBB2FF88314B16C9A6D918DF266C734ED46CB90

Function 00F212A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779bfae8e988240dec30ccc563913bda633a2be053fd0b64635dde3e7345585c
Instruction ID: ba8f8c19a8962dc9ba21bb856b8a113ae2348b86ef88db150ffb7f9a0a063142
Opcode Fuzzy Hash: 779bfae8e988240dec30ccc563913bda633a2be053fd0b64635dde3e7345585c
Instruction Fuzzy Hash: 45221334A00619CFC724DF28C590A6AF7F2FF58314F1089AAD85A9B726DB34AD46DF40

Function 00F209A0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81de9d98431da29d508798f7266fadef06b4a07284bd15c2a11d9282157917c0
Instruction ID: c64927ad53899ac909c119cc285c942ec911978da4ac88f6de5e255d36ba4549
Opcode Fuzzy Hash: 81de9d98431da29d508798f7266fadef06b4a07284bd15c2a11d9282157917c0
Instruction Fuzzy Hash: 1E51C532B04165DFCB249BA4E854BAEB7F2AF84314F2084A5D516DF762DF309C06DB81

Function 00F202E8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1284a0d1e6ba937d5d672de5701cdee1554e40fecf0db9194b8eef41f82de8
Instruction ID: 1f65cddb42e29ef18f32a734f9b0bfae7969bc9fc4189cf57f4cdd99ef7c873a
Opcode Fuzzy Hash: ff1284a0d1e6ba937d5d672de5701cdee1554e40fecf0db9194b8eef41f82de8
Instruction Fuzzy Hash: 8251C032B042158FCB14DF24D5507ADBBF2AF99310F2984AAD506AB7A2DF34AC05DB91

Function 00F20BC0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4214ec0810123b84639cddd388272b4cf5e1604008bfeebbf8907346d329b5
Instruction ID: 4f1a07207b6824bb4508d55c4fce445012231a28bd5e8e90e247931ab54eb423
Opcode Fuzzy Hash: cd4214ec0810123b84639cddd388272b4cf5e1604008bfeebbf8907346d329b5
Instruction Fuzzy Hash: 71410733B041148FCB159B28D4147AE7BF6AF86310F1581AAE806EF762CF719C0A9791

Function 00F20681 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6995a3e0ec313b3523c34172ac1f18202050370c57d7f3f5d91cf7e15c8a77
Instruction ID: 6fa72b28688cee47b2d4b0727fe355ea7cc9c3e3d9fb944e5d77ab9650359a95
Opcode Fuzzy Hash: 7c6995a3e0ec313b3523c34172ac1f18202050370c57d7f3f5d91cf7e15c8a77
Instruction Fuzzy Hash: B4417F326482908FC7146B74FC9D66D3BA2AF8130571548BAE403CF6B2DF349C06AB96

Function 00F202D9 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044c4926e27a29e2ea8a6743293546403db5adf3927b1397170ca4f4d84d312d
Instruction ID: 5829675d6e7009c3db1adfe4cde6d0bc3727066e4abdcfa6794b8f0e58d402df
Opcode Fuzzy Hash: 044c4926e27a29e2ea8a6743293546403db5adf3927b1397170ca4f4d84d312d
Instruction Fuzzy Hash: 16319C32F012188FDB14DF64D190BAE7BF2AF99314F2484A9D502AB7A1DF71AC44AB51

Function 00F21291 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab89b6537b85a3996ad2b7e743880bbfd7aa4719c2fa7b63a22d066e52a89718
Instruction ID: b324f1064a425a775e2a477704f64cfa977cda70cce49ca61500658310b75273
Opcode Fuzzy Hash: ab89b6537b85a3996ad2b7e743880bbfd7aa4719c2fa7b63a22d066e52a89718
Instruction Fuzzy Hash: D4415A34A04269CFCB24DF68D854BADBBB2BF59304F1044EAD40AAB751CB309D85DF61

Function 00F20014 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd68b17ed1cba7f6681fed00ed5768b9e6b5b52c7b6e90dcd31adc59a0868c97
Instruction ID: 84f1e4a633e3ef27e65e98d67f189c8a1f457fd8341f40ad045fa4f158743dbc
Opcode Fuzzy Hash: bd68b17ed1cba7f6681fed00ed5768b9e6b5b52c7b6e90dcd31adc59a0868c97
Instruction Fuzzy Hash: 59314F7250D3C18FCB12AB749864558BFF1AF52244B4A48EBD082CB297EB389C09D763

Function 00F221E8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b492213cb44240767a553d1ebd1efd3d6ba4d2bfee9ce72f167353093d2662a
Instruction ID: 54e7721e669bc57364c5b7c6a3a8951b665cfa72d46c870513abd354b88cc4e8
Opcode Fuzzy Hash: 7b492213cb44240767a553d1ebd1efd3d6ba4d2bfee9ce72f167353093d2662a
Instruction Fuzzy Hash: FD314B31D08219EFDB84DBA4D5457ADBBF1FF45304F2040AAC4029B6A0DB369E44EB92

Function 00F221F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bee08a24a74282bd214d7108e77b2607907c00de0b33a18b1191f0a9d7d770c
Instruction ID: ba46eba45be99cebe22a445e3987048ab5e4ab7f9fffa58871b36b38c7afe3af
Opcode Fuzzy Hash: 2bee08a24a74282bd214d7108e77b2607907c00de0b33a18b1191f0a9d7d770c
Instruction Fuzzy Hash: D6215C31E04219EFDB84DFA4D5457BDB7F0FB45304F20406AC4069B6A0DB369E44EB92

Function 00F24270 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08dc785ac58314c3f7a633b5f4efc9168ca35f007d03f1833249bd5a59f026ab
Instruction ID: 8ddaa8634f19d30730106f8687d35845e2a8f94e4433a6eb0aa78ff31d97479c
Opcode Fuzzy Hash: 08dc785ac58314c3f7a633b5f4efc9168ca35f007d03f1833249bd5a59f026ab
Instruction Fuzzy Hash: 1E112C32B00225C7CB14E7B5E8516BF77A69B85304B61453B9507C7780DF74AC05B7A2

Function 00D3088C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132185668.0000000000D30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2878a7e01647bf64429ce7fe9f9cd73651099637208f30791068556833a57d5
Instruction ID: a314e648dcd6326470aceaf4e3171faa352629b73fe8bd18a4e6e03af1d1bca4
Opcode Fuzzy Hash: c2878a7e01647bf64429ce7fe9f9cd73651099637208f30791068556833a57d5
Instruction Fuzzy Hash: 8A11E431204284DFD315CB14D950B26BBA5EF89718F2CC9ACE4890B753C73BD807DAA1

Function 00F20908 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b928298611d3b70d367d020bbbb839293277be4488fd72feb4b5463411539603
Instruction ID: e1177c9b03cf2a4f8eac1c06ace260845b74df90aaf161de9395d995d968e63f
Opcode Fuzzy Hash: b928298611d3b70d367d020bbbb839293277be4488fd72feb4b5463411539603
Instruction Fuzzy Hash: E7014833E093758FD71197F4B8955EF7F655B96320700456BC9028B253CE640C06A392

Function 00F22390 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671d29ec788c79101de0d5de6f2730aa27dc09b3edc1511b0ecf865957455a3a
Instruction ID: 921ce9d779512c3f786504bb7a23c5fcb53588718d63788f4b40009081d540d8
Opcode Fuzzy Hash: 671d29ec788c79101de0d5de6f2730aa27dc09b3edc1511b0ecf865957455a3a
Instruction Fuzzy Hash: F1119E72D08269EFC764DFA4E9447AEBFB1EB08304F20406EC146AB751DB780946EF50

Function 00F205B9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53de4b6c7c5c5c17f31076513bb4f87d17aae7dc78709ee0f6c7228b5b129850
Instruction ID: af60fbf2eead9181968ecc47323298bd577adaface9f70b25f200335d05a91d3
Opcode Fuzzy Hash: 53de4b6c7c5c5c17f31076513bb4f87d17aae7dc78709ee0f6c7228b5b129850
Instruction Fuzzy Hash: BF01FF337041700B8719237819252BE6ADB4FCA64872A08AFD006EB3A7CF698C4753A7

Function 00F21209 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce98afd5d0e674482ef8d10e5c22cf38dbe714836829b1dfe73655cf9073411a
Instruction ID: edc76424f21dc1b69f586f78c75517439b5cad3fe7949518f0f8a5cf3cbf8330
Opcode Fuzzy Hash: ce98afd5d0e674482ef8d10e5c22cf38dbe714836829b1dfe73655cf9073411a
Instruction Fuzzy Hash: B3015E31304190CFC714AB6CE018A69BBE5BF9A30472540EAE006CB7B5CF759C09AB96

Function 00D305C2 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132185668.0000000000D30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee12c4a48cd116676c34261059ee43549936d4cdde83194b3a2ba7c54e5361fd
Instruction ID: b972fa4467bf75fd093798b25e20878f8393f34f182aa2afd733c831d5b75ece
Opcode Fuzzy Hash: ee12c4a48cd116676c34261059ee43549936d4cdde83194b3a2ba7c54e5361fd
Instruction Fuzzy Hash: 6601A7765497C05FC711CB15AD40853BFE8DF8662070988BBE9498B652C225B909CB61

Function 00F205C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26ae921e02e01085904bcb9341053ca3658cec697e2460e9c2d85df7dd1acd0
Instruction ID: 4a36113b14d2a08058af8c9713d495a3b3f8f6fe4b787d926eab9f87630e3063
Opcode Fuzzy Hash: f26ae921e02e01085904bcb9341053ca3658cec697e2460e9c2d85df7dd1acd0
Instruction Fuzzy Hash: 0FF090237000341B4618237D55256BF66CB9FC9748B19486FE006DB396CF698C4313D7

Function 00F21218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c9b8c8a5368ef20bf6bfef8d95bbda9421520aaae5623c3fdfad4003820bd4
Instruction ID: 8b571ec885a04e5ca665ae5693aa6121f6fd0e6f630d6557b12d89c399136619
Opcode Fuzzy Hash: 11c9b8c8a5368ef20bf6bfef8d95bbda9421520aaae5623c3fdfad4003820bd4
Instruction Fuzzy Hash: 83011231304060CBC618AB2CD058A6DB7E6FFD571472540BAF406CB7A5CF759C09AB96

Function 00D305D2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132185668.0000000000D30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a5d15fdacfdabb6caf4a0b242d02cf2f3f1bc2d2c11dbd2c6f36deb933da8c
Instruction ID: c8bc9d91b97d50a91941307ca35a7b4be88a9e1b16e4d6f8d92309f3d9616990
Opcode Fuzzy Hash: e9a5d15fdacfdabb6caf4a0b242d02cf2f3f1bc2d2c11dbd2c6f36deb933da8c
Instruction Fuzzy Hash: 1AF062B69446849FD610CF06EC80863FBD8EB89630B04C97EED4A87701D235B809CBA1

Function 00F20918 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7397df38350c94c226ad1146eea13f3f4ca21baa3bf950c7adf6092c323346b4
Instruction ID: 5e8999b4a0c1b7809aad46ebef76cdc5e57848ee320b4b5cec665d460107e0de
Opcode Fuzzy Hash: 7397df38350c94c226ad1146eea13f3f4ca21baa3bf950c7adf6092c323346b4
Instruction Fuzzy Hash: 12E0E533E153389B9B1056F4F8556AFB7A98785360F1048339D0797303DE745846B692

Function 00F23BC4 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09fbdecb550fdb96cdee2b70bdea6cc096f3a27d0665fc385b2340b427a2ac5
Instruction ID: ac678e8ae7bbe0d86ede273ad4666ede6c6d552d514ebec5331aeb18c4c4eb94
Opcode Fuzzy Hash: f09fbdecb550fdb96cdee2b70bdea6cc096f3a27d0665fc385b2340b427a2ac5
Instruction Fuzzy Hash: DCF08272B04029CBCB14EF58F5816ECF7A1FBD4318B600957E0199B259DB3CAA069782

Function 00F24261 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651260686d3c450d27185ec97e7b54f6f07e93039fa3548d2a276d5b6a8e1a44
Instruction ID: 7928644a345dfd1d4d7550d554cd814cc0d8fc57b99efc6df4d0985219ab5532
Opcode Fuzzy Hash: 651260686d3c450d27185ec97e7b54f6f07e93039fa3548d2a276d5b6a8e1a44
Instruction Fuzzy Hash: BFF05C339093A0CFCB1057717C4849E7F78AE49241352047BE406C7191DEB41508A371

Function 00D30948 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132185668.0000000000D30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction ID: ef1dc2ee9a9eff2629d7f0d900eba0b526eb79e9db0952527ec01abc4e475f53
Opcode Fuzzy Hash: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction Fuzzy Hash: F7F01D35104644DFC305CB00D940B16FBA2FB89718F28CAADE98907B62C737D813DE91

Function 00D30606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132185668.0000000000D30000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d30000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc376ff3f7fdae53a4fd24f0162bff4c78496140f848ef97dc6f0568e084bf32
Instruction ID: 79ca78572879e8a365585fe1dc48e8b609d5f0a9e89fe74925721dc95eeb1180
Opcode Fuzzy Hash: dc376ff3f7fdae53a4fd24f0162bff4c78496140f848ef97dc6f0568e084bf32
Instruction Fuzzy Hash: E8E092B6A006444B9650CF0AEC41452F7D8EB88630708C47FDC0D8B701D635B508CAA5

Function 00F2016F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039cb97e10f06d9adc400d86f9383829d04e16e6f8943dff9f1d25faba4d5736
Instruction ID: 35c5d3fe2d3e09241c7e64589b3d72272acf18b333b5a224a30080435c02c3f4
Opcode Fuzzy Hash: 039cb97e10f06d9adc400d86f9383829d04e16e6f8943dff9f1d25faba4d5736
Instruction Fuzzy Hash: 38D05E366413408FD71A2770E66816837A29BA522634508BBC0168F7A5DF3AC886CA10

Function 00BD23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2131968563.0000000000BD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bd2000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a47c620f05885c26e7d7dc1adccb03da28ea13ad0ecac0841aa92a5dbb283c6
Instruction ID: a2b9c1c2d05e1e07dad54191d7d72167ad7c16f2cd14d16698a6158710607cac
Opcode Fuzzy Hash: 5a47c620f05885c26e7d7dc1adccb03da28ea13ad0ecac0841aa92a5dbb283c6
Instruction Fuzzy Hash: A4D05E792056C14FD3179F1CC1A5B9577D4BB61714F4A44FEAC008B763C768D981DA00

Function 00F20650 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056f189550ce982f723bb38102553b9ab46db6cd46fa8cc0c7b9865e4faf2684
Instruction ID: 1046ecdf04615f9b5f83e782abc15308338d66c51b79419b9a069fa9d77e5994
Opcode Fuzzy Hash: 056f189550ce982f723bb38102553b9ab46db6cd46fa8cc0c7b9865e4faf2684
Instruction Fuzzy Hash: 0AD05E7308E3D08EE3031BB028340A87F329AA330572844BBD081855B3CD2A55A1A723

Function 00BD23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2131968563.0000000000BD2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_bd2000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186fa849ae1721b4b4bd64c3d58ec93e310cf6d56329a4ef20994b7d4c86b0d6
Instruction ID: 0f4fd633081d535c14f0bf2c2a86722017c886b849ba97a46a13988c082bd3c9
Opcode Fuzzy Hash: 186fa849ae1721b4b4bd64c3d58ec93e310cf6d56329a4ef20994b7d4c86b0d6
Instruction Fuzzy Hash: 01D05E353402C14FC715DF0CC6D4F5977D4ABA0B25F0644EDAC108B762C7A8D9C0CA00

Function 00F202AC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a122608d5ded81c6ab67a6cf1ac7b87d523a2be1f23923ff5880976c04ddc9d
Instruction ID: 2659ff7b0a77fe5b7b06bfcc50deceefcbf9a78c778972326bad4807755452fd
Opcode Fuzzy Hash: 2a122608d5ded81c6ab67a6cf1ac7b87d523a2be1f23923ff5880976c04ddc9d
Instruction Fuzzy Hash: 03D05E36109690CB83318758F99888AF7B09F803103418C5ED08306D55CB20AC049701

Function 00F20180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 475d4045b1b8184cd2a6f1fa9f57e309a3f30509044f70c102acb7beecf0f431
Instruction ID: bf91ed113d1e4b15b4b3238953abfb208d9360cf69806d33cc1f87f54135efad
Opcode Fuzzy Hash: 475d4045b1b8184cd2a6f1fa9f57e309a3f30509044f70c102acb7beecf0f431
Instruction Fuzzy Hash: ACD01234201308CFCB282B74E55C0A833AAABA865A30008BED4068B369DF36E881CA00

Function 00F20660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2132449178.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f20000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30933c84061addaeee9e64b75312cbc67200b99e4eb199d335b7975a527d2f69
Instruction ID: 24e6ef5ab5ac6e5eea0b3fead05a7bfb6d01becbe082db0f7d64d68f7977dcc9
Opcode Fuzzy Hash: 30933c84061addaeee9e64b75312cbc67200b99e4eb199d335b7975a527d2f69
Instruction Fuzzy Hash: 11C02B330CA224CAC20417B03C08535770897C1305320C036E201000338E32E4F1B913

Analysis Process: dnshost.exePID: 1992, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	64
Total number of Limit Nodes:	7

Executed Functions

Function 011A23A0 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f`k, xrefs: 011A29C2
f`k, xrefs: 011A26C1

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID: f`k$f`k
API String ID: 0-3251778840
Opcode ID: b9db30854b49111a9e7ca8293ed81af77aff8ad44ae27ac194a101a731e6450e
Instruction ID: e10e078cca03aab4c9176ee81b21106e6393719f0ab686a634a32edbb7c1d055
Opcode Fuzzy Hash: b9db30854b49111a9e7ca8293ed81af77aff8ad44ae27ac194a101a731e6450e
Instruction Fuzzy Hash: 2212DE34A00225CFCB2CDF69D894BADBBF2BF84304F958569D406EB266DB349D41CB51

Function 011A3850 Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eee2086bbe5813bc04ebcdd1b06e73e91490a0811b8b02feceb9e9f546544ff
Instruction ID: 535a5110652d97b383e1a3728f9175c9acb6635108c0ba56e6b2543f0c51a91f
Opcode Fuzzy Hash: 4eee2086bbe5813bc04ebcdd1b06e73e91490a0811b8b02feceb9e9f546544ff
Instruction Fuzzy Hash: 4062F235A04216CFCB19CF68C884AAEBFB2FF85314B5A8569D429DF252C731EC45CB91

Function 011A2FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cfaf7a7e00b45905417fefbfda8ebd7ea979fbfa392cda4327cf74be4702e3
Instruction ID: 177371a5379cb54dca917bdb0d52b5dd33f3d361d6247fd21f5db276d383c8de
Opcode Fuzzy Hash: 86cfaf7a7e00b45905417fefbfda8ebd7ea979fbfa392cda4327cf74be4702e3
Instruction Fuzzy Hash: C281CE36F111158BDB18DB69D940BAEBBE3AFC4214F6A8075E415EB365DF349C018B90

Function 00CBAA02 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CBAAB1

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e36a318c4c870df6ee70ffc90ee31829f8785e29c71dabfdc3519035522c036d
Instruction ID: 64671d57bc8c6cbf1aa45ff6c8bdbb66b69e334b7766ae6fdc0f9289afacdbd1
Opcode Fuzzy Hash: e36a318c4c870df6ee70ffc90ee31829f8785e29c71dabfdc3519035522c036d
Instruction Fuzzy Hash: DF31B472404384AFE722CB51CC45FA7BFBCEF15310F08889AE9858B652D264E90DCB71

Function 050700F6 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0507019D

Memory Dump Source

Source File: 00000008.00000002.2223603493.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5070000_dnshost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b55164f0fc2f39e4206ffd64a699b14f483ce3989637d2e86ab4595f1ebd5158
Instruction ID: d6907e58b4e01c104faa3d74729c566ba80ca40ef5f5bf0dd39ee17a30ca9d71
Opcode Fuzzy Hash: b55164f0fc2f39e4206ffd64a699b14f483ce3989637d2e86ab4595f1ebd5158
Instruction Fuzzy Hash: 9B31B1715093846FE711CB65DC44F9ABFF8EF06214F08849AE984CB292D374E909CB61

Function 00CBAAF9 Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,6CDAD2D4,00000000,00000000,00000000,00000000), ref: 00CBABB4

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3f52e5c38b9b2b25a43a14b7797e7df2110cbb0b2d379e7e6e5ce215e728d1ee
Instruction ID: 222a5623c0bfa90702a29d2e14c01fcbd43d4a836f802b212c3429ce935bdc32
Opcode Fuzzy Hash: 3f52e5c38b9b2b25a43a14b7797e7df2110cbb0b2d379e7e6e5ce215e728d1ee
Instruction Fuzzy Hash: 123191765093846FD722CB61CC44FA2BFB8EF16314F08889AE985CB652D264E949CB71

Function 00CBAF50 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00CBAFEA

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0579d31a3e4651adc0164a18a2f8d99031b92a8f17d7ff97a17ef752e64f383e
Instruction ID: b90a4187f016d9c336b6f967fb371eeec9143b306f9c310448ce3517c3aea1e9
Opcode Fuzzy Hash: 0579d31a3e4651adc0164a18a2f8d99031b92a8f17d7ff97a17ef752e64f383e
Instruction Fuzzy Hash: 582195714093C06FD3138B259C51B62BFB4EF47614F0A85DBE884DB653D224A91AC7B2

Function 00CBAA32 Relevance: 1.6, APIs: 1, Instructions: 74
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CBAAB1

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c0708392b15087932b5cdcf2eb209226bd9a3e5d0ad3bc1a84464ca0e2f26540
Instruction ID: c4031a4f558afb9eaed25c1a0679ac314d50ad58c4af1c819306d12a65550c59
Opcode Fuzzy Hash: c0708392b15087932b5cdcf2eb209226bd9a3e5d0ad3bc1a84464ca0e2f26540
Instruction Fuzzy Hash: D621CF72500204AEE721DF55CD44FABFBECEF14324F04885AE9459B651D774E908DBB2

Function 0507012A Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0507019D

Memory Dump Source

Source File: 00000008.00000002.2223603493.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5070000_dnshost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a936dd97c0422e4edf0ffe62491829e6d478834fff18ebbc2edceaa82ab00b4c
Instruction ID: cbf795510a2357d2beadc7bf7411dcbc7c6a6764b1fa9ff5b75aeef257006c2a
Opcode Fuzzy Hash: a936dd97c0422e4edf0ffe62491829e6d478834fff18ebbc2edceaa82ab00b4c
Instruction Fuzzy Hash: 1721BE71A04244AFE720DF65DD49BAAFBE8EF04224F08886AED498B641D774E508CB65

Function 00CBAB3A Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,6CDAD2D4,00000000,00000000,00000000,00000000), ref: 00CBABB4

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 90e6274f6c1ec72534797d7df98d3ffede4ec98c4c9146014fee7f526cee5505
Instruction ID: 224e28b5db9c38b59fafb834aaaf765d56f23f8f775a3b60c4eb1a1bd537934d
Opcode Fuzzy Hash: 90e6274f6c1ec72534797d7df98d3ffede4ec98c4c9146014fee7f526cee5505
Instruction Fuzzy Hash: E4219076600204AFE721CF55DC44FA6F7ECEF14720F04846AE995CB651D764E908CBB2

Function 00CBB7CA Relevance: 1.6, APIs: 1, Instructions: 61
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 00CBB841

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9af4d5009c9d97622bdf7e91451dc413618dd4e8d811e28f1bd64f51df6e5f45
Instruction ID: 53813be8d43868c3f8961bfa45f696626e11914fbeea62dc0099948d75c90d31
Opcode Fuzzy Hash: 9af4d5009c9d97622bdf7e91451dc413618dd4e8d811e28f1bd64f51df6e5f45
Instruction Fuzzy Hash: 5921C0714093C09FDB228B21DC50A92BFB4EF17310F0D84CAEDC44F163D265A918DB62

Function 00CBA51F Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBA58A

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 194cdd79ed659dbcf0f4fba756d67142d5979cddbecf75a45f21d8e4d2335c91
Instruction ID: 54b08aa0e5d94024f406b8591fe7789f2b394631397f545e8dd91af04483d398
Opcode Fuzzy Hash: 194cdd79ed659dbcf0f4fba756d67142d5979cddbecf75a45f21d8e4d2335c91
Instruction Fuzzy Hash: C3118471409780AFDB228F51DC44A62FFF4EF4A310F0888DEED858B562D275A919DB62

Function 00CBBB4F Relevance: 1.6, APIs: 1, Instructions: 59
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 00CBBBB9

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fa0b8a33f323c1caab5e7da61a431b951c8c28d97abb745302cb624708f1b6d8
Instruction ID: ca9971e49aac30443e8d9e80eb9d5119fd7487c74b98feeb3482c7d6196cb7a6
Opcode Fuzzy Hash: fa0b8a33f323c1caab5e7da61a431b951c8c28d97abb745302cb624708f1b6d8
Instruction Fuzzy Hash: 6111E6755093C0AFDB228F21DC45B52FFB4EF16320F0884DEED858B563D265A818DB62

Function 050705EF Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05070650

Memory Dump Source

Source File: 00000008.00000002.2223603493.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5070000_dnshost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 41fc9ac8d35df7e961757d07db47b6dd2ddd212eb4da447b6a43c813e7dcf41c
Instruction ID: 9473e5a34443432330c3d9b8a4cdbdce96fc14cd2d9bbb51713de3d7ccfc2831
Opcode Fuzzy Hash: 41fc9ac8d35df7e961757d07db47b6dd2ddd212eb4da447b6a43c813e7dcf41c
Instruction Fuzzy Hash: F211D0715093849FDB12CF25DC94B52BFB4EF02224F0884DBEC858B693D279A808CB62

Function 00CBBE05 Relevance: 1.6, APIs: 1, Instructions: 58
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?), ref: 00CBBE70

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 88344f1f22a038db1407148e3cc7839b58479c3f0e138c846db75052a1e6d18c
Instruction ID: 4f97f155b418ca717b87f3da8a6f2dd5f033360724c719ff2e29830349e77b04
Opcode Fuzzy Hash: 88344f1f22a038db1407148e3cc7839b58479c3f0e138c846db75052a1e6d18c
Instruction Fuzzy Hash: 741181754093C0AFD7128B15DC44761BFB4DF47624F0984DAED844F263D269A908CB62

Function 00CBB71E Relevance: 1.6, APIs: 1, Instructions: 57
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 00CBB78A

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9dda55bd691608e951115e2272171fe7aa050cbd694d4c90e876492521768afd
Instruction ID: b5613e632049d281696f9b4f983fcf3ae339a92b22ce9b648dd0e7a7f3b88b25
Opcode Fuzzy Hash: 9dda55bd691608e951115e2272171fe7aa050cbd694d4c90e876492521768afd
Instruction Fuzzy Hash: 65118172508380AFDB21CF55DC44A92FFF4EF4A320F09889EED858B562C375A819DB61

Function 00CBA75B Relevance: 1.6, APIs: 1, Instructions: 52
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(?), ref: 00CBA7BC

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 04841df7d44c68bb6bb2ffcca41a13ab76c21f56c87ffba9b3ac44584c93d346
Instruction ID: 753e6a431d8325c2002a3d8b27fa7d7df42c4ae37ef3978e09db7427d28ee05a
Opcode Fuzzy Hash: 04841df7d44c68bb6bb2ffcca41a13ab76c21f56c87ffba9b3ac44584c93d346
Instruction Fuzzy Hash: 0D116D714493849FDB11CF15DC44B92BFB4EF06324F0984DAED858B253D279A949CB62

Function 00CBA8CC Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CBA926

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 180c539be62f90de4dbca062a93c1cb9bfa3a20522c683e72ed611d577926348
Instruction ID: 00567cdfa8aff6e4d1660d77f3ad54832995e4e977fb6d688b38ec4d488cdbe6
Opcode Fuzzy Hash: 180c539be62f90de4dbca062a93c1cb9bfa3a20522c683e72ed611d577926348
Instruction Fuzzy Hash: 3E11CE31409780AFC721CF11DC85A52FFF4EF06320F09849AED854B262C275A808DB62

Function 00CBA546 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBA58A

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c535beb5d97df1ecfe3bb7dd3c2be07885659504abb93092f811d1580c41431c
Instruction ID: 80a7e525c02234882c5aea28c71502f7b86262c4ba80b61442f3dfd03fc1d375
Opcode Fuzzy Hash: c535beb5d97df1ecfe3bb7dd3c2be07885659504abb93092f811d1580c41431c
Instruction Fuzzy Hash: CC016D325046009FDB31CF95D944B56FBE0EF08320F08C8AAED894AA51D375E518DF62

Function 00CBB746 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 00CBB78A

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 590f838fc01a61173fb84bd176d8abc968ae739c8bbd244dd71ea717034f3888
Instruction ID: 9a6daef833b32e57f33c71aec4666ec33a8d53b7d0a72fbbad457775df2d954f
Opcode Fuzzy Hash: 590f838fc01a61173fb84bd176d8abc968ae739c8bbd244dd71ea717034f3888
Instruction Fuzzy Hash: 390161325046009FDB21CF55D944B96FBE0EF48320F0888AEED454A621D775E418DF71

Function 0507061E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05070650

Memory Dump Source

Source File: 00000008.00000002.2223603493.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5070000_dnshost.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 024f489f223531159eee945492631be4db2fcde8544baf97f34c4ece6043bf54
Instruction ID: de246ededa3f8503cfc2197149d3a3ab32960a65c9a929f2ae3860e324fb1030
Opcode Fuzzy Hash: 024f489f223531159eee945492631be4db2fcde8544baf97f34c4ece6043bf54
Instruction Fuzzy Hash: 1601D4719002448FDB10CF1AE999B6AFBE4EF40324F08C4AADC498B652D275E408CF66

Function 00CBAF9A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 00CBAFEA

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2de834d82461373de56711fbd40d78e0637948f3dc4ad621a936b6984f32b18d
Instruction ID: 283544a795ddabaaad30d32f5918e6fd49c90f620d4f90a85d0c80b9c1b42a44
Opcode Fuzzy Hash: 2de834d82461373de56711fbd40d78e0637948f3dc4ad621a936b6984f32b18d
Instruction Fuzzy Hash: 4D01A271500200ABD310DF16CC46B66FBE8FB88A20F148159EC089BB41D775F956CBE5

Function 00CBBB7E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00CBBBB9

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0503612fdcfb8210a94129788eeb6bba171e58adf3e39d8c5b9089d183aaddde
Instruction ID: 9646db1f3d597ae9b7ff866ac1a4d3d6d6930aa489edfffae9d5669e9421ce95
Opcode Fuzzy Hash: 0503612fdcfb8210a94129788eeb6bba171e58adf3e39d8c5b9089d183aaddde
Instruction Fuzzy Hash: 4901D4365002009FDB208F16D844BA6FBE0EF04320F08C4AEED454BA65C375E818DF61

Function 00CBA78A Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00CBA7BC

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 9524fbed13c6e39c56940445fe8883dcad2c4c49bd409e3d53c4aba58cc4ef18
Instruction ID: 7a12e2d47afe43c49020fa0efbd4ebc1474fe9c4200339528fb13432546cf726
Opcode Fuzzy Hash: 9524fbed13c6e39c56940445fe8883dcad2c4c49bd409e3d53c4aba58cc4ef18
Instruction Fuzzy Hash: DF01A2755042409FDB10CF16D9847A1FBE4EF04324F08C4AADD899F652D779E508CBA2

Function 00CBB806 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00CBB841

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 75bc73b7c6eb5e993f9fb62a959393fa649752a5e64bf0f54f57b2dbe0032948
Instruction ID: 98e6d4619539581ad0a1e86f0ab790290f85deff3110c54961541a55b4eaabac
Opcode Fuzzy Hash: 75bc73b7c6eb5e993f9fb62a959393fa649752a5e64bf0f54f57b2dbe0032948
Instruction Fuzzy Hash: 7501A235400240DFDB20CF06D984BA6FBE4EF04324F08C4AAED450B662D3B6E918DFA2

Function 00CBA8EE Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CBA926

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e4162b5b6194206e7f5e6883360a29c721005fbc5dec48e814a522222d32ba4a
Instruction ID: 60a0990286cfa125f4324413016f603f41389759bc6e64fa1ca87d49a15403bb
Opcode Fuzzy Hash: e4162b5b6194206e7f5e6883360a29c721005fbc5dec48e814a522222d32ba4a
Instruction Fuzzy Hash: 3C01AD358006009FDB208F06D985B92FBE0EF05320F09C4AADD860B652C375E808EF62

Function 00CBBE3E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00CBBE70

Memory Dump Source

Source File: 00000008.00000002.2222147675.0000000000CBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cba000_dnshost.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 91f65ccc43ec664623e959a04edfec84ed1cf41f75c98ec5905ab6c70081ef76
Instruction ID: 3de4f5ccfdb466f6dff275cda2fa7964a7a17435b8a8ebae2c65c0627f7fec10
Opcode Fuzzy Hash: 91f65ccc43ec664623e959a04edfec84ed1cf41f75c98ec5905ab6c70081ef76
Instruction Fuzzy Hash: 7EF0A4359046809FDB20CF06D9847A1FBE0DF04324F08C4AADE454B762D3B9E908CFA2

Function 011A20D0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 011A230F

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 1f4c7ac51262395e4f0dbcb62ff9cd163147ff1547c52d47b9cedc42818791b7
Instruction ID: c5aa6ca0cc21969e1d179813eabcaaa88c1d9f4264f563764f334b768b1dcfdb
Opcode Fuzzy Hash: 1f4c7ac51262395e4f0dbcb62ff9cd163147ff1547c52d47b9cedc42818791b7
Instruction Fuzzy Hash: 5F718C38A08209DFDF0CDFA4C545AAEBFB1FF85304F5180AAD502DB661D730AA45CB52

Function 011A25DE Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

f`k, xrefs: 011A26C1

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID: f`k
API String ID: 0-1028176591
Opcode ID: 8060a25ca385811ff51fae92adaec0b649f13e79ef594d1932172a46133bccbd
Instruction ID: 6774718e28acf574583ea7c97cbeca29bc3640f27728b5436664c9b51a76f4f4
Opcode Fuzzy Hash: 8060a25ca385811ff51fae92adaec0b649f13e79ef594d1932172a46133bccbd
Instruction Fuzzy Hash: 5531AC70A00245CFDB28DF69E944B9EFBE2BF44318F51C669C008AB666CB749985CB42

Function 011A12A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db09bf9e181d60f8bde29233d13913dc16b48b86a1103d0faebe44fb85d041f9
Instruction ID: bf8bf233ba7b08d6d01778ae3cf01f99369a0ae5681bb22dabffbe0658200fee
Opcode Fuzzy Hash: db09bf9e181d60f8bde29233d13913dc16b48b86a1103d0faebe44fb85d041f9
Instruction Fuzzy Hash: 75220738A00615CFCB28DF25C590A6AFBF2FF48304F158AA9D85A9B716DB34AC45CF51

Function 011A0947 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fa213e4e8241119669488b7d4fb67bc6b2f6d585083863a1adb33882944e13
Instruction ID: ac161dbba4d2aaccf8b1a69c3ba6dd3ad843731c06895cb36157ba55a16db010
Opcode Fuzzy Hash: 56fa213e4e8241119669488b7d4fb67bc6b2f6d585083863a1adb33882944e13
Instruction Fuzzy Hash: 3451F439B04214DFCB199FA4C954BAEBBF2EF88304F558569E507DB661DB309C06CB82

Function 011A02E8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625b8f731099f140b9c21578b06b8cba6e6748caac5c00127ea2dbfb7f93cf87
Instruction ID: 85f43846a6f19dcfc68e24acb61ac9a67e7c493b186576efa391da2fcf1e635b
Opcode Fuzzy Hash: 625b8f731099f140b9c21578b06b8cba6e6748caac5c00127ea2dbfb7f93cf87
Instruction Fuzzy Hash: E151BF74A042048FDB09DF28C5607AE7BF2AF8D314F1584ADE546AB7A1DB35EC05CB92

Function 011A0BC0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450b296885ff45482d270c8d037d1c3a9f7d1c7b6aa893ca9c1b8a203bd3d65d
Instruction ID: 9f9778f7f3cb39dfb57c6cc94e943701ee0a75afb050df8b9a0daa89a625a0ba
Opcode Fuzzy Hash: 450b296885ff45482d270c8d037d1c3a9f7d1c7b6aa893ca9c1b8a203bd3d65d
Instruction Fuzzy Hash: 4F41FC35B042149FC71D9F28C4146AE7BE6AF8A310F1680AAF907DF761CF729C068792

Function 011A0682 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1967712e680bcd0519a15b5a1440653e8b04d2ba2e13cbd6ec355d2620c74da
Instruction ID: 00904dc73fe9e8d53a39a452fd6e8692c0aec8b8c3016121fc7bf4019d3bf30b
Opcode Fuzzy Hash: b1967712e680bcd0519a15b5a1440653e8b04d2ba2e13cbd6ec355d2620c74da
Instruction Fuzzy Hash: 59415A346082518BC7187B75EC0DBAD3AA6EF84706B098A79F403CB271CF788C459F92

Function 011A09A0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa158bd019052db9e4dbcece6cf838afc59ca52519bb2db26520f4768d54d625
Instruction ID: 99ceb7e3527f0f9c4ad059a3bd4519933ccfb5dd03f1c498bae7ba686ca5f553
Opcode Fuzzy Hash: aa158bd019052db9e4dbcece6cf838afc59ca52519bb2db26520f4768d54d625
Instruction Fuzzy Hash: 55419E35B002149FCB05DFA4D858BAEB7F2FF84310F158568E5169B761DB30AC06CB81

Function 011A02DA Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e64e7d3fc1b6d8fb67d4a6f29a5fea5d9e2bc0aad8fee47a1b3e9768b9dc6a
Instruction ID: 8824469628f72c5a2f91c9911ca8458c2527f6b4ce1f8ee72b6be9722d1532d3
Opcode Fuzzy Hash: 61e64e7d3fc1b6d8fb67d4a6f29a5fea5d9e2bc0aad8fee47a1b3e9768b9dc6a
Instruction Fuzzy Hash: 3F418B78A042088FDB1CCF68C190BAE7BB2AF8D314F25446DE502AB7A0DB71AC45CB51

Function 011A0006 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07858cf7da9eb4980b26fd6e7984bdce8970f8701b39c377efe15d664992220d
Instruction ID: c6dff2363b378d9f98e186bd85c51ace99a29ea0d593ec40b3747fedf183d87a
Opcode Fuzzy Hash: 07858cf7da9eb4980b26fd6e7984bdce8970f8701b39c377efe15d664992220d
Instruction Fuzzy Hash: AD316B7014D3C18FC70AAB3499249997FB0AF43214B4A49EEE0C1CB2A7D7399D09DB12

Function 011A1292 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afedf9042a5303ba2d321e0ad39bc933653770dde5abe78c029bfa19dc1a3c1
Instruction ID: 92b2806c2c872e6373c44e11132b5df45161d268af3794b6427f7d24db3ea20b
Opcode Fuzzy Hash: 2afedf9042a5303ba2d321e0ad39bc933653770dde5abe78c029bfa19dc1a3c1
Instruction Fuzzy Hash: E9416A38A04319DFCB28DF65C840B9DBBB2AF09304F4145EAD44AAB751CB309D84CF62

Function 011A21E8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3685fd9ea0a2e01b8f09b62cbf305b170a70b430346307b34b827a28aa294d
Instruction ID: e070a1dcecf1eea513e83b22930215bc36a71e40735dfe218c5a0765a02d9fbf
Opcode Fuzzy Hash: dd3685fd9ea0a2e01b8f09b62cbf305b170a70b430346307b34b827a28aa294d
Instruction Fuzzy Hash: 2E316738A0820ADFCB5CDBA4C585AEEBFB0FF45304F5145ABD402A7661D7349A45CB53

Function 011A4270 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b960524ff5145e32877a628359a90eeea94f1ffdac185a04937cd4d1da8a98
Instruction ID: 15ddd49bc983a5cfdfdb318c2fe60ac6261a38434c9a308647d76a455597c104
Opcode Fuzzy Hash: d2b960524ff5145e32877a628359a90eeea94f1ffdac185a04937cd4d1da8a98
Instruction Fuzzy Hash: D3113A35A042158BCB1CE7B5E8016BF7AAA9F85204F86093BD50787E40DFB4980487A3

Function 011A21F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102ff1ebf3081215c8a7e90ae72a66b43aa55d0236aa0dda2240af4c355c9388
Instruction ID: 2c977ba0c516e17c96dee87a0dad1b7ccb221beca2d706fc817b57bfe2a2f868
Opcode Fuzzy Hash: 102ff1ebf3081215c8a7e90ae72a66b43aa55d0236aa0dda2240af4c355c9388
Instruction Fuzzy Hash: F5212838E08209DFCB5CDBA8C145BAEBBB0BF44304F51856AD402A7661D7319A44CB92

Function 01360855 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222954948.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1360000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe57ac5f9cb23e5678fc94f8c312edea74a38f1e1e826f6ed88ed1340d9adea
Instruction ID: 6b7e221cee9757939d2be70f69ab58f0c2a887bb94d9c22af4057bcd1b27e275
Opcode Fuzzy Hash: dbe57ac5f9cb23e5678fc94f8c312edea74a38f1e1e826f6ed88ed1340d9adea
Instruction Fuzzy Hash: B2214F3110D3C49FD7178B24C951715BFB2AF47218F29C5EEE4898B6A3C33A8846DB52

Function 0136088C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222954948.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1360000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fd69c82ed5be34c094232931748e75200434fa9d944f0b387448728e29f258
Instruction ID: 856d9be6b32b39ed7355999d0cb842274197253c989ad669b6930aab2165c819
Opcode Fuzzy Hash: 85fd69c82ed5be34c094232931748e75200434fa9d944f0b387448728e29f258
Instruction Fuzzy Hash: EA11D530204284DFD319CB14D541B16BBDAAB8971CF24C9ACF44947B57C77BD803C691

Function 011A2390 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43668738976ec5b3ff87336626c15bc99b343a11cfbbaaf2128cc670b1953ee7
Instruction ID: 5bbe1ec876963ba650d23e0ea6f5c9c3c58b1f5f973401f1c671da563e476e16
Opcode Fuzzy Hash: 43668738976ec5b3ff87336626c15bc99b343a11cfbbaaf2128cc670b1953ee7
Instruction Fuzzy Hash: 2A118578D0825ADFCB2C8F64C841ABEBFB0EB49304F01496ED502A7750DB784A46CF92

Function 011A05BA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9799b5b75f54bb85707d94689b0aa4ff6d08f618e3315b3fb2563c1d2c47f6
Instruction ID: 8f3694f8ba442fbd94cefd2450710d8a208f6720945ebeb8a79f85f828851e13
Opcode Fuzzy Hash: 3f9799b5b75f54bb85707d94689b0aa4ff6d08f618e3315b3fb2563c1d2c47f6
Instruction Fuzzy Hash: 7801D6317041240B8B19633954556FE27974FC964871A086FD00ADB397CF698C475393

Function 011A1209 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757d08f39aeb85b3ca711d9306c37b40640767ad8c51c5015c1f98b4421ac4b7
Instruction ID: ffae54a328f71bec3bcadbc65e1a944721cc40c7396dd53a28c2f792974227b9
Opcode Fuzzy Hash: 757d08f39aeb85b3ca711d9306c37b40640767ad8c51c5015c1f98b4421ac4b7
Instruction Fuzzy Hash: 4D017C343081509FC70CAB29D4589ADBBE6AFC6214B6605ABE006CB7B5CF75CC098B53

Function 013605E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222954948.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1360000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8c79aa738806009abc27129bce719a8013d7885524b2f5b2a1a1b3a6e3ee28
Instruction ID: 13871699ad592dfbab47e6f3b04574f5485d940408c9202b33bf1d9c8f9ac803
Opcode Fuzzy Hash: 6a8c79aa738806009abc27129bce719a8013d7885524b2f5b2a1a1b3a6e3ee28
Instruction Fuzzy Hash: C301DBB54093806FD7118B05DC41863FFF8DB86220709C89FEC498BB12C125B809CBB2

Function 011A05C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de8808df85b2976a20bbd93fd59ba0682dabeff981027d8f74f44818def0cb1
Instruction ID: 79f7421e9ae40ca2a14ecf18b888712b93139d83d1bf7b6363a2309c5b2fe362
Opcode Fuzzy Hash: 9de8808df85b2976a20bbd93fd59ba0682dabeff981027d8f74f44818def0cb1
Instruction Fuzzy Hash: 59F090327001341B4A08327E95156BF628B5FC9648B1A482FE00ADB396CF798C4313E7

Function 011A1218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0effeb25c778ad2245a72d31b9fc1f7e1c15d3064463508b2a65cf907d69f4c7
Instruction ID: 11a26f1b752aadb901259703db4458d40128007137d437cfebb4ec8d31bd322b
Opcode Fuzzy Hash: 0effeb25c778ad2245a72d31b9fc1f7e1c15d3064463508b2a65cf907d69f4c7
Instruction Fuzzy Hash: 7A016974304010DBC60CAB29D0189ADBBEAAFC9614B6644ABE106CB7A5CF75DC088B92

Function 011A4261 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8312921d64c3d05d92c267509fee4aea2870eede04af9e3808c02fd0be45c0a3
Instruction ID: 81de70e603e56650dcd8ae107e8cdfb8b939f36fcc81747c2ec455fe1789c400
Opcode Fuzzy Hash: 8312921d64c3d05d92c267509fee4aea2870eede04af9e3808c02fd0be45c0a3
Instruction Fuzzy Hash: C2F05C3864C388CFCB5D5771BC058EF7F689A8518078A067BD402C3811DBF501098B52

Function 01360948 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222954948.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1360000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction ID: da4bb426f8c116028b5a83cd753b359cb9e52c316175b9866f20f6f7a794ae87
Opcode Fuzzy Hash: c30635a0e6af16a6a197144af85e8a9835070687e5ebc4d8ab7d7d1f32a71237
Instruction Fuzzy Hash: 16F01D35104644DFC306CB04D941B15FBE6FB89718F24CAADE94917B66C737D813DA81

Function 01360606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222954948.0000000001360000.00000040.00000020.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1360000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cf946a7309547e0dd20e19eb3bb6f8920186f80834f60bb65e03177155cd69
Instruction ID: 171dd5dd9f5ed935a16eae636df41cfd4cff478e3358ad40b95c2f0889ab2860
Opcode Fuzzy Hash: 22cf946a7309547e0dd20e19eb3bb6f8920186f80834f60bb65e03177155cd69
Instruction Fuzzy Hash: 12E092B66006044B9650CF0AEC41452F7D8EB88630708C47FDC0D8BB11D639B509CEA5

Function 011A02A1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1149183155f5cb367cf20b9395b4759379066f60eed3ccb03982b974426e5c75
Instruction ID: ae7bf690ce39461c7df2e80a3ced0c036140e7b753cbc9cd00da2e29abd69d6d
Opcode Fuzzy Hash: 1149183155f5cb367cf20b9395b4759379066f60eed3ccb03982b974426e5c75
Instruction Fuzzy Hash: B4E0C238108340CFC36A8B60E955CD5BBE0AF863103028D5EE08347D20C734AE05CB02

Function 011A016F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09355bdff1c1eb120b78b43e1a3614de81ec0da163ff060cede9b733d7c0e2c
Instruction ID: f32ae7e886eb022e24af68bb5d425f03a6d157f3c9743900c79ab9d05f559e3e
Opcode Fuzzy Hash: f09355bdff1c1eb120b78b43e1a3614de81ec0da163ff060cede9b733d7c0e2c
Instruction Fuzzy Hash: B8D05B366453448FCB1D6770E5596AC3B719F5620571004BED007C7762DB36C446CA00

Function 011A0650 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ba5642af23853d99bfc0b572dd03572b5eea890d62d9429b51ed815d95ddfa
Instruction ID: c5c8cfba5cc2f96a5dcc75c83162201e8e6087a71c1c9c0be708fbe12cbdfd84
Opcode Fuzzy Hash: a1ba5642af23853d99bfc0b572dd03572b5eea890d62d9429b51ed815d95ddfa
Instruction Fuzzy Hash: 87D0A77108F381CFD38E4F70AC245A97F62EB92329759447BF08182032D73A9996CB23

Function 00CB23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222129608.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cb2000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f538d48e42ab08aae02358bbdcac035752eebab10b4c74e0d0e7d6526ecd7ba
Instruction ID: 42695bc8bff2f493322d1eb6769a3a44678f3fa10e17c6e32300285d9a11c12c
Opcode Fuzzy Hash: 1f538d48e42ab08aae02358bbdcac035752eebab10b4c74e0d0e7d6526ecd7ba
Instruction Fuzzy Hash: 7FD05E792456C14FD3169E1CC1A4BD53BD4BF61715F4A44FDAC008BB63C768DA85EA00

Function 00CB23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222129608.0000000000CB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_cb2000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3a0a62ab0045dc2cf56f9c1c941dbc931cf62619df1370c8c1d9a503b2575e
Instruction ID: 65c89363dfed2a5ef7e57cb762e9d54705f485459528975f522e33801a0b0036
Opcode Fuzzy Hash: fe3a0a62ab0045dc2cf56f9c1c941dbc931cf62619df1370c8c1d9a503b2575e
Instruction Fuzzy Hash: 6FD05E353402814BC715DE0CC6D4F9937D8AB54B15F0644ECAC208B772C7A8DAC0CA00

Function 011A0180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765c4d6a3046860f900d77ec1f9cbbb5d6ea56931c9883776c1d7aa3bfe09a7f
Instruction ID: b3fe39e45931ae5924967e4fc955c8d9698d5494ba1124fbb9fdaf13f83b90fc
Opcode Fuzzy Hash: 765c4d6a3046860f900d77ec1f9cbbb5d6ea56931c9883776c1d7aa3bfe09a7f
Instruction Fuzzy Hash: 0DD01234201308CBCB1C2B70E61CA6C33AAAF8860A31008BEE40787361DF36E880CA00

Function 011A0660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222795664.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11a0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c967c6e58d0cacd5608429db4c207bb815c7757920f0f2b181bee9ddd3012bd
Instruction ID: 0375504ac0e496bc059e8a79e3330ad212c5314118b60587a2f9ed5f429cc9cb
Opcode Fuzzy Hash: 4c967c6e58d0cacd5608429db4c207bb815c7757920f0f2b181bee9ddd3012bd
Instruction Fuzzy Hash: C8C02B3408A204CA824C17B05C08A39770897C430D7A5C037F005000219F32E4E18813

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NYQbqD59m8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DNS Host\dnshost.exe

C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NYQbqD59m8.exe.log

Windows Analysis Report
NYQbqD59m8.exe

Function 018D9540 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Function 018DBC90 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Function 018D23A0 Relevance: 3.0, Strings: 2, Instructions: 505
COMMON

Function 0578300C Relevance: 1.6, APIs: 1, Instructions: 94
networkCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre