Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UOp1kufsuw.exe

Overview

General Information

Sample name:UOp1kufsuw.exe
renamed because original name is a hash value
Original sample name:3B4EE472D9C872BA1D96B7A676E809BA.exe
Analysis ID:1542429
MD5:3b4ee472d9c872ba1d96b7a676e809ba
SHA1:33186a216fe8a37a993f42477b8f813a56ba5f09
SHA256:a317bcadef76feec57223d92244a322eb4409990808a7bab96cc929fbc4a7164
Tags:exeNanoCoreRATuser-abuse_ch
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Suricata IDS alerts for network traffic
Yara detected Nanocore RAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UOp1kufsuw.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\UOp1kufsuw.exe" MD5: 3B4EE472D9C872BA1D96B7A676E809BA)
    • dw20.exe (PID: 1720 cmdline: dw20.exe -x -s 2356 MD5: 89106D4D0BA99F770EAFE946EA81BB65)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "eb61e2ce-2d81-45ac-8d80-3083f0de", "Group": "Default", "Domain1": "josh289232.duckdns.org", "Domain2": "", "Port": 1608, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29985, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8006, "BufferSize": "02000100", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "1.1.1.1", "BackupDNSServer": "1.0.0.1", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
UOp1kufsuw.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    UOp1kufsuw.exeWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x1018d:$a1: NanoCore.ClientPluginHost
    • 0x1014d:$a2: NanoCore.ClientPlugin
    • 0x120a6:$b1: get_BuilderSettings
    • 0xffa9:$b2: ClientLoaderForm.resources
    • 0x117c6:$b3: PluginCommand
    • 0x1017e:$b4: IClientAppHost
    • 0x1a5fe:$b5: GetBlockHash
    • 0x126fe:$b6: AddHostEntry
    • 0x163f1:$b7: LogClientException
    • 0x1266b:$b8: PipeExists
    • 0x101b7:$b9: IClientLoggingHost
    UOp1kufsuw.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q
    UOp1kufsuw.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    UOp1kufsuw.exeNanocoredetect Nanocore in memoryJPCERT/CC Incident Response Group
    • 0xfef5:$v1: NanoCore Client
    • 0xff05:$v1: NanoCore Client
    • 0x117c6:$v2: PluginCommand
    • 0x117ae:$v3: CommandType
    Click to see the 1 entries

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\DNS Host\dnshost.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Program Files (x86)\DNS Host\dnshost.exeWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x1018d:$a1: NanoCore.ClientPluginHost
      • 0x1014d:$a2: NanoCore.ClientPlugin
      • 0x120a6:$b1: get_BuilderSettings
      • 0xffa9:$b2: ClientLoaderForm.resources
      • 0x117c6:$b3: PluginCommand
      • 0x1017e:$b4: IClientAppHost
      • 0x1a5fe:$b5: GetBlockHash
      • 0x126fe:$b6: AddHostEntry
      • 0x163f1:$b7: LogClientException
      • 0x1266b:$b8: PipeExists
      • 0x101b7:$b9: IClientLoggingHost
      C:\Program Files (x86)\DNS Host\dnshost.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      C:\Program Files (x86)\DNS Host\dnshost.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      C:\Program Files (x86)\DNS Host\dnshost.exeNanocoredetect Nanocore in memoryJPCERT/CC Incident Response Group
      • 0xfef5:$v1: NanoCore Client
      • 0xff05:$v1: NanoCore Client
      • 0x117c6:$v2: PluginCommand
      • 0x117ae:$v3: CommandType
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x2205:$a1: NanoCore.ClientPluginHost
      • 0x227f:$a2: NanoCore.ClientPlugin
      • 0x29a0:$b7: LogClientException
      • 0x221f:$b9: IClientLoggingHost
      00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x2205:$x1: NanoCore.ClientPluginHost
      • 0x223e:$x2: IClientNetworkHost
      00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0x227f:$x2: NanoCore.ClientPlugin
      • 0x2205:$x3: NanoCore.ClientPluginHost
      • 0x2295:$i3: IClientNetwork
      • 0x221f:$i6: IClientLoggingHost
      • 0x223e:$i7: IClientNetworkHost
      • 0x1f9f:$s1: ClientPlugin
      • 0x2288:$s1: ClientPlugin
      00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x13a8:$a1: NanoCore.ClientPluginHost
      • 0x13f2:$a2: NanoCore.ClientPlugin
      • 0x13c2:$b9: IClientLoggingHost
      00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x13a8:$x1: NanoCore.ClientPluginHost
      Click to see the 53 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.UOp1kufsuw.exe.5da0000.16.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x350b:$a1: NanoCore.ClientPluginHost
      • 0x34e2:$a2: NanoCore.ClientPlugin
      • 0x5854:$b7: LogClientException
      • 0x34f8:$b9: IClientLoggingHost
      0.2.UOp1kufsuw.exe.5da0000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x350b:$x1: NanoCore.ClientPluginHost
      • 0x3525:$x2: IClientNetworkHost
      0.2.UOp1kufsuw.exe.5da0000.16.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0x34e2:$x2: NanoCore.ClientPlugin
      • 0x350b:$x3: NanoCore.ClientPluginHost
      • 0x34d3:$i3: IClientNetwork
      • 0x34f8:$i6: IClientLoggingHost
      • 0x3525:$i7: IClientNetworkHost
      • 0x334e:$s1: ClientPlugin
      • 0x34eb:$s1: ClientPlugin
      0.2.UOp1kufsuw.exe.5d30000.11.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x13a8:$a1: NanoCore.ClientPluginHost
      • 0x13f2:$a2: NanoCore.ClientPlugin
      • 0x13c2:$b9: IClientLoggingHost
      0.2.UOp1kufsuw.exe.5d30000.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x13a8:$x1: NanoCore.ClientPluginHost
      Click to see the 124 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\UOp1kufsuw.exe, ProcessId: 7540, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\UOp1kufsuw.exe, ProcessId: 7540, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      System Summary

      barindex
      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DNS Host\dnshost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\UOp1kufsuw.exe, ProcessId: 7540, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Host

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\UOp1kufsuw.exe, ProcessId: 7540, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\UOp1kufsuw.exe, ProcessId: 7540, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-25T22:42:00.335710+020020469141Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.514835+020020469141Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.593225+020020469141Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.737470+020020469141Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.824773+020020469141Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.987100+020020469141Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:01.127816+020020469141Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:05.878143+020020469141Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.068689+020020469141Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.424759+020020469141Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.489359+020020469141Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.612266+020020469141Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.737358+020020469141Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:13.737089+020020469141Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:13.862183+020020469141Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:13.987198+020020469141Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:14.049873+020020469141Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:14.174642+020020469141Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:14.315306+020020469141Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:19.206118+020020469141Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.330973+020020469141Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.456131+020020469141Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.518453+020020469141Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.678686+020020469141Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.759866+020020469141Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:34.159081+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.221561+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.346437+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.471604+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.596566+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.659146+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.784406+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.910726+020020469141Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:41.925080+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.034341+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.143486+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.190470+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.299657+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.409054+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.518393+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.630418+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.674661+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.784042+020020469141Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:46.909134+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.002752+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.097148+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.190448+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.284235+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.377767+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.471730+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.518517+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.612358+020020469141Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:51.784450+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:51.917609+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:51.987155+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.065452+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.143337+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.205971+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.284197+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.362266+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.440306+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.518417+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.596769+020020469141Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:43:12.741136+020020469141Malware Command and Control Activity Detected192.168.2.549996192.169.69.261608TCP
      2024-10-25T22:43:12.752638+020020469141Malware Command and Control Activity Detected192.168.2.549996192.169.69.261608TCP
      2024-10-25T22:43:22.712451+020020469141Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:22.722780+020020469141Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:22.737417+020020469141Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:22.752692+020020469141Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:32.659024+020020469141Malware Command and Control Activity Detected192.168.2.550000192.169.69.261608TCP
      2024-10-25T22:43:32.674546+020020469141Malware Command and Control Activity Detected192.168.2.550000192.169.69.261608TCP
      2024-10-25T22:43:32.690156+020020469141Malware Command and Control Activity Detected192.168.2.550000192.169.69.261608TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-25T22:42:00.287740+020020250191Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:05.809428+020020250191Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:13.633675+020020250191Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:19.088454+020020250191Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:34.119393+020020250191Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:41.857493+020020250191Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:46.834378+020020250191Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:51.763262+020020250191Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:43:12.735746+020020250191Malware Command and Control Activity Detected192.168.2.549996192.169.69.261608TCP
      2024-10-25T22:43:22.707028+020020250191Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:32.652615+020020250191Malware Command and Control Activity Detected192.168.2.550000192.169.69.261608TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-25T22:42:00.335710+020028223261Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.514835+020028223261Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.593225+020028223261Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.737470+020028223261Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.824773+020028223261Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:00.987100+020028223261Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:01.127816+020028223261Malware Command and Control Activity Detected192.168.2.549716192.169.69.261608TCP
      2024-10-25T22:42:05.878143+020028223261Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.068689+020028223261Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.424759+020028223261Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.489359+020028223261Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.612266+020028223261Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:06.737358+020028223261Malware Command and Control Activity Detected192.168.2.549720192.169.69.261608TCP
      2024-10-25T22:42:13.737089+020028223261Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:13.862183+020028223261Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:13.987198+020028223261Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:14.049873+020028223261Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:14.174642+020028223261Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:14.315306+020028223261Malware Command and Control Activity Detected192.168.2.549722192.169.69.261608TCP
      2024-10-25T22:42:19.206118+020028223261Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.330973+020028223261Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.456131+020028223261Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.518453+020028223261Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.678686+020028223261Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:19.759866+020028223261Malware Command and Control Activity Detected192.168.2.549741192.169.69.261608TCP
      2024-10-25T22:42:34.159081+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.221561+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.346437+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.471604+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.596566+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.659146+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.784406+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:34.910726+020028223261Malware Command and Control Activity Detected192.168.2.549826192.169.69.261608TCP
      2024-10-25T22:42:41.925080+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.034341+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.143486+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.190470+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.299657+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.409054+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.518393+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.630418+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.674661+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:42.784042+020028223261Malware Command and Control Activity Detected192.168.2.549867192.169.69.261608TCP
      2024-10-25T22:42:46.909134+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.002752+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.097148+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.190448+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.284235+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.377767+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.471730+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.518517+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:47.612358+020028223261Malware Command and Control Activity Detected192.168.2.549897192.169.69.261608TCP
      2024-10-25T22:42:51.784450+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:51.917609+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:51.987155+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.065452+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.143337+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.205971+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.284197+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.362266+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.440306+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.518417+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:42:52.596769+020028223261Malware Command and Control Activity Detected192.168.2.549924192.169.69.261608TCP
      2024-10-25T22:43:12.741136+020028223261Malware Command and Control Activity Detected192.168.2.549996192.169.69.261608TCP
      2024-10-25T22:43:12.752638+020028223261Malware Command and Control Activity Detected192.168.2.549996192.169.69.261608TCP
      2024-10-25T22:43:22.712451+020028223261Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:22.722780+020028223261Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:22.737417+020028223261Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:22.752692+020028223261Malware Command and Control Activity Detected192.168.2.549997192.169.69.261608TCP
      2024-10-25T22:43:32.659024+020028223261Malware Command and Control Activity Detected192.168.2.550000192.169.69.261608TCP
      2024-10-25T22:43:32.674546+020028223261Malware Command and Control Activity Detected192.168.2.550000192.169.69.261608TCP
      2024-10-25T22:43:32.690156+020028223261Malware Command and Control Activity Detected192.168.2.550000192.169.69.261608TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-25T22:42:06.424759+020028167181A Network Trojan was detected192.168.2.549720192.169.69.261608TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: UOp1kufsuw.exeAvira: detected
      Antivirus detection for URL or domain
      Source: http://google.comURL Reputation: Label: malware
      Antivirus detection for dropped file
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
      Found malware configuration
      Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "eb61e2ce-2d81-45ac-8d80-3083f0de", "Group": "Default", "Domain1": "josh289232.duckdns.org", "Domain2": "", "Port": 1608, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29985, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8006, "BufferSize": "02000100", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "1.1.1.1", "BackupDNSServer": "1.0.0.1", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped file
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeReversingLabs: Detection: 97%
      Multi AV Scanner detection for submitted file
      Source: UOp1kufsuw.exeReversingLabs: Detection: 97%
      Yara detected Nanocore RAT
      Source: Yara matchFile source: UOp1kufsuw.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTR
      Source: Yara matchFile source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Machine Learning detection for dropped file
      Source: C:\Program Files (x86)\DNS Host\dnshost.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: UOp1kufsuw.exeJoe Sandbox ML: detected
      Source: UOp1kufsuw.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
      Source: Binary string: \??\C:\Windows\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 4x nop then mov esp, ebp0_2_050BB208

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49716 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49716 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49741 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49720 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49741 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49720 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49722 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49722 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.5:49720 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49867 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49867 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49826 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49826 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49897 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49924 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49924 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49897 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49996 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:50000 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:50000 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49997 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49996 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49997 -> 192.169.69.26:1608
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs:
      Source: Malware configuration extractorURLs: josh289232.duckdns.org
      Uses dynamic DNS services
      Source: unknownDNS query: name: josh289232.duckdns.org
      Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
      Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
      Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49716 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49741 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49720 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49722 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49826 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49867 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49897 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49924 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49996 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49997 -> 192.169.69.26:1608
      Source: Network trafficSuricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:50000 -> 192.169.69.26:1608
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_052732B6 WSARecv,0_2_052732B6
      Source: global trafficDNS traffic detected: DNS query: josh289232.duckdns.org
      Source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
      Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_ef4f8772-7

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: UOp1kufsuw.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTR
      Source: Yara matchFile source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5950000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5950000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5950000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.410151c.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.410151c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.410151c.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d10000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d10000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d10000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5efe8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5efe8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5efe8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5950000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5950000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5950000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5ef4c9f.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5ef4c9f.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5ef4c9f.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_05271966 NtQuerySystemInformation,0_2_05271966
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_0527192B NtQuerySystemInformation,0_2_0527192B
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_05F342EB0_2_05F342EB
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_05F346D30_2_05F346D3
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_05F333240_2_05F33324
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050B38500_2_050B3850
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050B93700_2_050B9370
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050B9F700_2_050B9F70
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050B2FA80_2_050B2FA8
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050B23A00_2_050B23A0
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050BE2C80_2_050BE2C8
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050BBAC00_2_050BBAC0
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050BA0370_2_050BA037
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050B306F0_2_050B306F
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050BC7870_2_050BC787
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050B32BB0_2_050B32BB
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_050BC6C00_2_050BC6C0
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2356
      Source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011050016.0000000005DA8000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011260033.0000000005F18000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exe, 00000000.00000002.3011160273.0000000005DE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs UOp1kufsuw.exe
      Source: UOp1kufsuw.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: UOp1kufsuw.exe, type: SAMPLEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d30000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d30000.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5da0000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d70000.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5950000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5950000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5950000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.410151c.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.410151c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.410151c.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5be0000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d10000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d10000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d10000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5efe8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5efe8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5efe8a4.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5f30000.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5950000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5950000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5950000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5ef4c9f.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5ef4c9f.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5ef4c9f.20.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d20000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d40000.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d60000.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5d50000.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.5ef0000.21.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.2fbe1e4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.2fca424.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.UOp1kufsuw.exe.2fb93b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTRMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPEDMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: UOp1kufsuw.exeStatic PE information: Section: .rsrc ZLIB complexity 1.0003032248858448
      Source: dnshost.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.0003032248858448
      Source: UOp1kufsuw.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.csCryptographic APIs: 'TransformFinalBlock'
      Source: UOp1kufsuw.exe, --qVxXNKnhAcArgJoGGYXiyyQ--.csCryptographic APIs: 'TransformFinalBlock'
      Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.csCryptographic APIs: 'TransformFinalBlock'
      Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.csCryptographic APIs: 'TransformFinalBlock'
      Source: dnshost.exe.0.dr, --qVxXNKnhAcArgJoGGYXiyyQ--.csCryptographic APIs: 'TransformFinalBlock'
      Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.csCryptographic APIs: 'TransformFinalBlock'
      Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/7@40/1
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_05271726 AdjustTokenPrivileges,0_2_05271726
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_052716EF AdjustTokenPrivileges,0_2_052716EF
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile created: C:\Program Files (x86)\DNS HostJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile created: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06Jump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeMutant created: NULL
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{eb61e2ce-2d81-45ac-8d80-3083f0def8b6}
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4a68f922-acce-491c-a4ed-396a8d970cc7Jump to behavior
      Source: UOp1kufsuw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: UOp1kufsuw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: UOp1kufsuw.exeReversingLabs: Detection: 97%
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile read: C:\Users\user\Desktop\UOp1kufsuw.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\UOp1kufsuw.exe "C:\Users\user\Desktop\UOp1kufsuw.exe"
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2356
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2356Jump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: UOp1kufsuw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
      Source: Binary string: \??\C:\Windows\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: UOp1kufsuw.exe, 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Windows\System.pdb source: UOp1kufsuw.exe, 00000000.00000002.3007060261.0000000001545000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
      Source: UOp1kufsuw.exe, --qjIje6jGWLd2EOkfZXKqBbg--.cs.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
      Source: UOp1kufsuw.exe, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
      Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
      Source: dnshost.exe.0.dr, --qjIje6jGWLd2EOkfZXKqBbg--.cs.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
      Source: dnshost.exe.0.dr, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_011E9E24 pushfd ; retf 0_2_011E9E25
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_011E9E5C pushfd ; retf 0_2_011E9E5D
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile created: C:\Program Files (x86)\DNS Host\dnshost.exeJump to dropped file
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS HostJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS HostJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeFile opened: C:\Users\user\Desktop\UOp1kufsuw.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeMemory allocated: 1270000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeWindow / User API: threadDelayed 7216Jump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeWindow / User API: foregroundWindowGot 726Jump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeWindow / User API: foregroundWindowGot 773Jump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7616Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7628Thread sleep time: -43500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7612Thread sleep time: -420000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exe TID: 7628Thread sleep time: -3608000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_0527138E GetSystemInfo,0_2_0527138E
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: Amcache.hve.4.drBinary or memory string: VMware
      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: dw20.exe, 00000004.00000003.3005555367.000000000053F000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000002.3006882712.000000000051B000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000002.3006882712.0000000000540000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000003.3005457294.000000000053D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: dw20.exe, 00000004.00000003.3005555367.000000000053F000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000002.3006882712.0000000000540000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000004.00000003.3005457294.000000000053D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
      Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Amcache.hve.4.drBinary or memory string: vmci.sys
      Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.4.drBinary or memory string: VMware20,1
      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2356Jump to behavior
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000003118000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3006187082.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000003080000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: UOp1kufsuw.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTR
      Source: Yara matchFile source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: UOp1kufsuw.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: UOp1kufsuw.exe, 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: UOp1kufsuw.exe, 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: UOp1kufsuw.exe, 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: UOp1kufsuw.exe, 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: UOp1kufsuw.exe, 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: UOp1kufsuw.exe, 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exe, 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: UOp1kufsuw.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: dnshost.exe.0.drString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: UOp1kufsuw.exe, type: SAMPLE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db4629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.0.UOp1kufsuw.exe.860000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.5db0000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f04be.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.40f52ea.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.UOp1kufsuw.exe.410151c.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: UOp1kufsuw.exe PID: 7540, type: MEMORYSTR
      Source: Yara matchFile source: C:\Program Files (x86)\DNS Host\dnshost.exe, type: DROPPED
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_05272DFA bind,0_2_05272DFA
      Source: C:\Users\user\Desktop\UOp1kufsuw.exeCode function: 0_2_05272DDA bind,0_2_05272DDA

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		2
      Masquerading      		11
      Input Capture      		111
      Security Software Discovery      		Remote Services11
      Input Capture      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		12
      Process Injection      		1
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		1
      Remote Access Software      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Registry Run Keys / Startup Folder      		31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive1
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		1
      Access Token Manipulation      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture1
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Process Injection      		LSA Secrets3
      System Information Discovery      		SSHKeylogging21
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Deobfuscate/Decode Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Hidden Files and Directories      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
      Obfuscated Files or Information      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
      Software Packing      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      DLL Side-Loading      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      UOp1kufsuw.exe97%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
      UOp1kufsuw.exe100%AviraTR/Dropper.MSIL.Gen7
      UOp1kufsuw.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DNS Host\dnshost.exe100%AviraTR/Dropper.MSIL.Gen7
      C:\Program Files (x86)\DNS Host\dnshost.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DNS Host\dnshost.exe97%ReversingLabsByteCode-MSIL.Backdoor.NanoCore

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe
      http://google.com100%URL Reputationmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      josh289232.duckdns.org
      		192.169.69.26
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
          		unknown
          josh289232.duckdns.orgtrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.4.drfalse
            • URL Reputation: safe
            		unknown
            http://google.comUOp1kufsuw.exe, 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, UOp1kufsuw.exe, 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: malware
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            192.169.69.26
            		josh289232.duckdns.orgUnited States
            		23033WOWUStrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1542429
            Start date and time:2024-10-25 22:41:05 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 1s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:5
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:UOp1kufsuw.exe
            renamed because original name is a hash value
            Original Sample Name:3B4EE472D9C872BA1D96B7A676E809BA.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@3/7@40/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 91%
            • Number of executed functions: 273
            • Number of non-executed functions: 10
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 93.184.221.240, 52.168.117.173, 13.89.179.12
            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: UOp1kufsuw.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:41:58API Interceptor684729x Sleep call for process: UOp1kufsuw.exe modified
            16:43:31API Interceptor1x Sleep call for process: dw20.exe modified
            22:42:00AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DNS Host C:\Program Files (x86)\DNS Host\dnshost.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            192.169.69.26SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
            • yuya0415.duckdns.org:1928/Vre
            confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
            • servidorarquivos.duckdns.org/e/e
            oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
            • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
            oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
            • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
            http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
            • yvtplhuqem.duckdns.org/ja/
            http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
            • fqqqffcydg.duckdns.org/en/
            http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
            • yugdzvsqnf.duckdns.org/en/
            &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
            • servidorarquivos.duckdns.org/e/e
            transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
            • servidorarquivos.duckdns.org/e/e
            http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
            • www.secure-0fflce-o365.duckdns.org/

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            WOWUSEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletOpsistype.vbsGet hashmaliciousRemcos, GuLoaderBrowse
            • 192.169.69.26
            DHL AWB_NO_928473.exeGet hashmaliciousRemcosBrowse
            • 192.169.69.26
            IMG465244247443 ORDER Opmagasinering.exeGet hashmaliciousXWormBrowse
            • 192.169.69.26
            172966494683a361ba19e5107ad739c4261113c8b850c2db5512e1d9850ba41c9e7130006e629.dat-decoded.exeGet hashmaliciousRemcosBrowse
            • 192.169.69.26
            17296642858200fb7d98884fd3fefd8063bc539e47fc39cf313b464256316dfe4c77155349452.dat-decoded.exeGet hashmaliciousRemcosBrowse
            • 192.169.69.26
            1729664285eb7bb07492581d20804d3375475106471ac08a7fba0ab7603fe6a80254c04d4b806.dat-decoded.exeGet hashmaliciousRemcosBrowse
            • 192.169.69.26
            17296631433ed1e30f656b0ac5cc21bf24f4d646d05ba386aaf9e1701a86b154026d595f2f535.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
            • 192.169.69.26
            MEC20241022001.batGet hashmaliciousRemcos, GuLoaderBrowse
            • 192.169.69.26
            rEXSP5634HISP9005STMSDSDOKUME74247linierelet.batGet hashmaliciousRemcos, GuLoaderBrowse
            • 192.169.69.26
            nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
            • 192.169.69.26

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\DNS Host\dnshost.exe

            Download File
            Process:C:\Users\user\Desktop\UOp1kufsuw.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):566272
            Entropy (8bit):7.889424982828451
            Encrypted:false
            SSDEEP:12288:iLV6BtpmkjDwb1bL/mZyysVSX/GFFcEvz20Q3CE+A2whXXAo2RB:AApfy16yDSOzFvz20A7lXqB
            MD5:3B4EE472D9C872BA1D96B7A676E809BA
            SHA1:33186A216FE8A37A993F42477B8F813A56BA5F09
            SHA-256:A317BCADEF76FEEC57223D92244A322EB4409990808A7BAB96CC929FBC4A7164
            SHA-512:22D93C0656D9EBB8F0E33497E2D02ECF8A9F160FFF07620F0DFBD022B8449B99AE3D5DCCB3D2F65F555D99415489BFCC4856EBA3D87C2158C68C3922216E4985
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Joe Security
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: unknown
            • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: Florian Roth
            • Rule: Nanocore, Description: detect Nanocore in memory, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: JPCERT/CC Incident Response Group
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DNS Host\dnshost.exe, Author: ditekSHen
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 97%
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T................................. ........@.. ......................................................................8...W.... ............................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc........ ......................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

            C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\UOp1kufsuw.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview:[ZoneTransfer]....ZoneId=0

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UOp1kufsuw.exe_4343b25f289f3e5955695467cabea10b29f50_00000000_d9943c9d-5599-4d1e-8d3e-c6c5c2579d62\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.0465180787969433
            Encrypted:false
            SSDEEP:192:DqLRlLCaRY9wHloympeFCylaQ4EVzuiFfZ24IO8:WLRlOaaaj1zuiFfY4IO8
            MD5:7AA543332D9F2ED0FF75E7D6B2CF8EE3
            SHA1:5B775019CB007DC6FE21785BF036EF4CC0AD45BB
            SHA-256:79F0F5626CD6F57703FC31CA49E8A659BFFD631E194DF6FB3058EE25E5B05F53
            SHA-512:78DFA762ADF7229DC817FD6579515179F7917CEB7B7003C143095EAE49F5E41D164592838E01C35A7C0BBE1E1BF3E79CEBA7605CC8649E23BA76802184E64851
            Malicious:true
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.6.2.6.0.9.0.9.6.4.0.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.6.2.6.0.9.2.8.3.9.0.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.9.4.3.c.9.d.-.5.5.9.9.-.4.d.1.e.-.8.d.3.e.-.c.6.c.5.c.2.5.7.9.d.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.4.-.0.0.0.1.-.0.0.1.4.-.6.c.d.9.-.a.7.5.5.1.e.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.8.e.e.c.7.0.1.2.9.d.f.3.8.a.9.b.5.5.e.c.9.2.6.d.c.3.4.6.5.e.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.3.1.8.6.a.2.1.6.f.e.8.a.3.7.a.9.9.3.f.4.2.4.7.7.b.8.f.8.1.3.a.5.6.b.a.5.f.0.9.!.U.O.p.1.k.u.f.s.u.w...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.5././.0.2././.2.2.:.0.0.:.4.9.:.3.7.!.0.!.U.O.p.1.k.u.f.s.u.w...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.4.3.....I.s.F.a.t.a.l.=.4.2.9.4.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2592.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):7634
            Entropy (8bit):3.7061600577110565
            Encrypted:false
            SSDEEP:192:R6l7wVeJdr6l6YEIASU+uCKgmf3rJp1GF1fhim:R6lXJB6l6YE/SU+uCKgmf3rVGnfF
            MD5:9D483F7035A9FCF71315E65A994488E7
            SHA1:7C243B7640772DDC11E0D2B49767912501F67FA7
            SHA-256:F3C19E40C3EB7B934EB4957A02C2C5C3C7FA407D4A58DE5B903914CD2CDECA5F
            SHA-512:53385A8B7067B9EAE6240BB7EDBB89DFCF791F75ACC6EE4D3C37EB273304B5A225C7E9AA65E4CC82F9D193D9B3A5EE5C5D0E0BF7E4B32873D65444A21240B597
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.0.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER25D1.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4546
            Entropy (8bit):4.48870451605345
            Encrypted:false
            SSDEEP:48:cvIwWl8zsFJg77aI9W5WpW8VYPYm8M4JFKfS9HNlFP+q8G9H88reeCtUd:uIjffI7EI7VPJFKMHVtHReptUd
            MD5:652BDF7D0855F5C288A4CF252CDB05ED
            SHA1:BC678413B4CA6A8AEE721B34B59AC6BFFAA99C63
            SHA-256:A6FD88DCFF981F529A1EEE1D51AE8D3F0FF96EC86A6FAF08A687D31FF8E196E5
            SHA-512:E29F80D26163270153F99109F522140441F74B3367F479E85ED91E8002896F893F59FB7176BC49E00DB50815780FAB30090D2E1D79A7EA5B291121BB34F61A2A
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559426" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

            Download File
            Process:C:\Users\user\Desktop\UOp1kufsuw.exe
            File Type:Non-ISO extended-ASCII text, with no line terminators
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:3:GDtn:s
            MD5:CEBE65DF942FE8D2741077126898DE2C
            SHA1:3AAE2C1782E0957ADE39F7BB36DB3CA1A0C0DCEE
            SHA-256:E968B85C0C0116FC66C82754910F81B47B6E995394D3863BDF3B947E97375E0B
            SHA-512:61216876915123886A9B0CFD5E653BCF0394F3BC52ABFBBEFF0B5DB76C7B749530CF81AEAE042AEA552820986DC569CEFF86E8967214319EB7ED8AF2985D9B5F
            Malicious:true
            Reputation:low
            Preview:..ax5..H

            C:\Windows\appcompat\Programs\Amcache.hve

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1835008
            Entropy (8bit):4.421409799907631
            Encrypted:false
            SSDEEP:6144:ESvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNf0uhiTw:PvloTMW+EZMM6DFyV03w
            MD5:8767C1AE156C82FA7BD03B002E6CE479
            SHA1:4F13EC8C94F2867693E087B81FB4B1117E26CB12
            SHA-256:618973639A1B3D2C86A5C011AE3F5FAEC44F8A1C633DE5C9501FE7783DA9EA7A
            SHA-512:66FCBE44A3BEBFE72E9379C1F20EECF5C9D29F78BDA8AEFB8BBC08917974CEE0A798D23D75A862E57776F4C6CA579438139B56A79EC47B90E5FF333DB08E1317
            Malicious:false
            Reputation:low
            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:....'..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.889424982828451
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:UOp1kufsuw.exe
            File size:566'272 bytes
            MD5:3b4ee472d9c872ba1d96b7a676e809ba
            SHA1:33186a216fe8a37a993f42477b8f813a56ba5f09
            SHA256:a317bcadef76feec57223d92244a322eb4409990808a7bab96cc929fbc4a7164
            SHA512:22d93c0656d9ebb8f0e33497e2d02ecf8a9f160fff07620f0dfbd022b8449b99ae3d5dccb3d2f65f555d99415489bfcc4856eba3d87c2158c68c3922216e4985
            SSDEEP:12288:iLV6BtpmkjDwb1bL/mZyysVSX/GFFcEvz20Q3CE+A2whXXAo2RB:AApfy16yDSOzFvz20A7lXqB
            TLSH:60C412493AB8462FF29E85B826161216137CC1E79AD3F3DB58D010B79F267E1470B1EB
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T................................. ........@.. .....................................................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x41e792
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:
            Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x6d7d8.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x1c7980x1c800bf59bcc83e331fc10fddee98e26c9ea0False0.5945124040570176data6.598071033730871IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .reloc0x200000xc0x200fa81a8e21b7ba0db59d9a42aa7a5e570False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .rsrc0x220000x6d7d80x6d80097e44c86094d15b362e0f5fd530b2ed0False1.0003032248858448data7.999539911126447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_RCDATA0x220580x6d780data1.0003256137596346

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Suricata IDS Alerts

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2024-10-25T22:42:00.287740+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.335710+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.335710+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.514835+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.514835+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.593225+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.593225+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.737470+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.737470+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.824773+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.824773+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.987100+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:00.987100+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:01.127816+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:01.127816+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549716192.169.69.261608TCP
            2024-10-25T22:42:05.809428+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:05.878143+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:05.878143+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.068689+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.068689+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.424759+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.424759+02002816718ETPRO MALWARE NanoCore RAT Keep-Alive Beacon1192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.424759+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.489359+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.489359+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.612266+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.612266+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.737358+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:06.737358+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549720192.169.69.261608TCP
            2024-10-25T22:42:13.633675+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:13.737089+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:13.737089+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:13.862183+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:13.862183+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:13.987198+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:13.987198+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:14.049873+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:14.049873+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:14.174642+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:14.174642+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:14.315306+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:14.315306+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549722192.169.69.261608TCP
            2024-10-25T22:42:19.088454+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.206118+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.206118+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.330973+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.330973+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.456131+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.456131+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.518453+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.518453+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.678686+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.678686+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.759866+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:19.759866+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549741192.169.69.261608TCP
            2024-10-25T22:42:34.119393+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.159081+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.159081+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.221561+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.221561+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.346437+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.346437+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.471604+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.471604+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.596566+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.596566+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.659146+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.659146+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.784406+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.784406+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.910726+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:34.910726+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549826192.169.69.261608TCP
            2024-10-25T22:42:41.857493+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:41.925080+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:41.925080+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.034341+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.034341+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.143486+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.143486+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.190470+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.190470+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.299657+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.299657+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.409054+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.409054+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.518393+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.518393+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.630418+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.630418+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.674661+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.674661+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.784042+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:42.784042+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549867192.169.69.261608TCP
            2024-10-25T22:42:46.834378+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:46.909134+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:46.909134+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.002752+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.002752+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.097148+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.097148+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.190448+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.190448+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.284235+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.284235+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.377767+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.377767+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.471730+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.471730+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.518517+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.518517+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.612358+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:47.612358+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549897192.169.69.261608TCP
            2024-10-25T22:42:51.763262+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:51.784450+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:51.784450+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:51.917609+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:51.917609+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:51.987155+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:51.987155+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.065452+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.065452+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.143337+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.143337+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.205971+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.205971+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.284197+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.284197+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.362266+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.362266+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.440306+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.440306+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.518417+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.518417+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.596769+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:42:52.596769+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549924192.169.69.261608TCP
            2024-10-25T22:43:12.735746+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549996192.169.69.261608TCP
            2024-10-25T22:43:12.741136+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549996192.169.69.261608TCP
            2024-10-25T22:43:12.741136+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549996192.169.69.261608TCP
            2024-10-25T22:43:12.752638+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549996192.169.69.261608TCP
            2024-10-25T22:43:12.752638+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549996192.169.69.261608TCP
            2024-10-25T22:43:22.707028+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.712451+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.712451+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.722780+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.722780+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.737417+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.737417+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.752692+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:22.752692+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.549997192.169.69.261608TCP
            2024-10-25T22:43:32.652615+02002025019ET MALWARE Possible NanoCore C2 60B1192.168.2.550000192.169.69.261608TCP
            2024-10-25T22:43:32.659024+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.550000192.169.69.261608TCP
            2024-10-25T22:43:32.659024+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.550000192.169.69.261608TCP
            2024-10-25T22:43:32.674546+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.550000192.169.69.261608TCP
            2024-10-25T22:43:32.674546+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.550000192.169.69.261608TCP
            2024-10-25T22:43:32.690156+02002046914ET MALWARE NanoCore RAT CnC 71192.168.2.550000192.169.69.261608TCP
            2024-10-25T22:43:32.690156+02002822326ETPRO MALWARE NanoCore RAT CnC 191192.168.2.550000192.169.69.261608TCP

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 25, 2024 22:42:00.272696972 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.278244019 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:00.278382063 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.287739992 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.293135881 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:00.335710049 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.341240883 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:00.514834881 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.521143913 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:00.593225002 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.598594904 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:00.737469912 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.742995977 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:00.824773073 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.830228090 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:00.987099886 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:00.992548943 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:01.127815962 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:01.133265018 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:01.164048910 CEST160849716192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:01.164357901 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:01.164840937 CEST497161608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:05.802947044 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:05.808906078 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:05.809005022 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:05.809427977 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:05.816019058 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:05.878143072 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:05.884646893 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:06.068689108 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:06.074224949 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:06.424758911 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:06.430233955 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:06.489358902 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:06.494761944 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:06.612266064 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:06.622476101 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:06.737358093 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:06.742752075 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:06.747045994 CEST160849720192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:06.747116089 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:06.747168064 CEST497201608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:13.627849102 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:13.633275032 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:13.633352041 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:13.633675098 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:13.638988018 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:13.737088919 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:13.742419958 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:13.862183094 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:13.867832899 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:13.987198114 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:13.994961023 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:14.049873114 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:14.055376053 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:14.174642086 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:14.180471897 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:14.315305948 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:14.444401979 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:14.444554090 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:14.444607973 CEST497221608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:14.445584059 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:14.449995995 CEST160849722192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.080411911 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.088026047 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.088129044 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.088454008 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.095855951 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.206118107 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.216564894 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.330972910 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.336517096 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.456130981 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.461710930 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.518452883 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.524297953 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.678685904 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.685094118 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.759865999 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.765240908 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.952336073 CEST160849741192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:19.952408075 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:19.953339100 CEST497411608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.113172054 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.118571997 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.118675947 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.119393110 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.124984980 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.159080982 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.164729118 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.221560955 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.227015972 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.346436977 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.351965904 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.471604109 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.476995945 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.596565962 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.601957083 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.659146070 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.664467096 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.784405947 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.789787054 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:34.910726070 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:34.916101933 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:35.015506029 CEST160849826192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:35.015619040 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:35.015830994 CEST498261608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:41.851540089 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:41.856978893 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:41.857073069 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:41.857492924 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:41.862839937 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:41.925080061 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:41.930589914 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.034341097 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.040380955 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.143486023 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.148946047 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.190469980 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.196942091 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.299657106 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.305655003 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.409054041 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.414705992 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.518393040 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.524030924 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.630418062 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.635987043 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.674660921 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.680222988 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.784041882 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.789616108 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.797854900 CEST160849867192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:42.797986984 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:42.799170017 CEST498671608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:46.828454971 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:46.833901882 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:46.833987951 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:46.834378004 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:46.839713097 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:46.909133911 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:46.914628983 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.002752066 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.008147001 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.097147942 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.102536917 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.190448046 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.195815086 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.284235001 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.289608002 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.377767086 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.383160114 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.471729994 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.477257013 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.518517017 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.523952007 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.612358093 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.618140936 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.702541113 CEST160849897192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:47.702702045 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:47.702775955 CEST498971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:51.753782034 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:51.760813951 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:51.760910988 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:51.763262033 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:51.768737078 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:51.784450054 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:51.789968014 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:51.917608976 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:51.923345089 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:51.987154961 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:51.992621899 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.065452099 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.071811914 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.143337011 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.148775101 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.205971003 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.211615086 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.284197092 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.289699078 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.362266064 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.368943930 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.440305948 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.445775986 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.518416882 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.524046898 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.596769094 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.602180004 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.648859978 CEST160849924192.169.69.26192.168.2.5
            Oct 25, 2024 22:42:52.648925066 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:42:52.649010897 CEST499241608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:12.729407072 CEST499961608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:12.734925985 CEST160849996192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:12.735011101 CEST499961608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:12.735745907 CEST499961608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:12.741065979 CEST160849996192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:12.741136074 CEST499961608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:12.746493101 CEST160849996192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:12.752638102 CEST499961608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:12.758158922 CEST160849996192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:12.768260956 CEST499961608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.694215059 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.699565887 CEST160849997192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:22.699687004 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.707027912 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.712348938 CEST160849997192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:22.712450981 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.718033075 CEST160849997192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:22.722779989 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.728219986 CEST160849997192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:22.737416983 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.742897034 CEST160849997192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:22.752691984 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:22.758042097 CEST160849997192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:22.768409967 CEST499971608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:32.646025896 CEST500001608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:32.652086973 CEST160850000192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:32.652170897 CEST500001608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:32.652615070 CEST500001608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:32.658946991 CEST160850000192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:32.659024000 CEST500001608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:32.664333105 CEST160850000192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:32.674546003 CEST500001608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:32.679902077 CEST160850000192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:32.690155983 CEST500001608192.168.2.5192.169.69.26
            Oct 25, 2024 22:43:32.695661068 CEST160850000192.169.69.26192.168.2.5
            Oct 25, 2024 22:43:32.706098080 CEST500001608192.168.2.5192.169.69.26

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 25, 2024 22:41:59.291848898 CEST6514853192.168.2.51.1.1.1
            Oct 25, 2024 22:42:00.262368917 CEST53651481.1.1.1192.168.2.5
            Oct 25, 2024 22:42:05.176670074 CEST6408553192.168.2.51.1.1.1
            Oct 25, 2024 22:42:05.799783945 CEST53640851.1.1.1192.168.2.5
            Oct 25, 2024 22:42:10.753653049 CEST5160953192.168.2.51.1.1.1
            Oct 25, 2024 22:42:11.753843069 CEST5160953192.168.2.51.1.1.1
            Oct 25, 2024 22:42:12.768345118 CEST5160953192.168.2.51.1.1.1
            Oct 25, 2024 22:42:13.489847898 CEST53516091.1.1.1192.168.2.5
            Oct 25, 2024 22:42:13.489890099 CEST53516091.1.1.1192.168.2.5
            Oct 25, 2024 22:42:13.489981890 CEST53516091.1.1.1192.168.2.5
            Oct 25, 2024 22:42:13.495528936 CEST5766753192.168.2.51.0.0.1
            Oct 25, 2024 22:42:13.626390934 CEST53576671.0.0.1192.168.2.5
            Oct 25, 2024 22:42:18.457412958 CEST5173553192.168.2.51.1.1.1
            Oct 25, 2024 22:42:19.078959942 CEST53517351.1.1.1192.168.2.5
            Oct 25, 2024 22:42:23.972742081 CEST4918653192.168.2.51.1.1.1
            Oct 25, 2024 22:42:24.971518040 CEST4918653192.168.2.51.1.1.1
            Oct 25, 2024 22:42:25.971577883 CEST4918653192.168.2.51.1.1.1
            Oct 25, 2024 22:42:27.987413883 CEST4918653192.168.2.51.1.1.1
            Oct 25, 2024 22:42:30.085867882 CEST53491861.1.1.1192.168.2.5
            Oct 25, 2024 22:42:30.085903883 CEST53491861.1.1.1192.168.2.5
            Oct 25, 2024 22:42:30.085932016 CEST53491861.1.1.1192.168.2.5
            Oct 25, 2024 22:42:30.085958958 CEST53491861.1.1.1192.168.2.5
            Oct 25, 2024 22:42:30.087723017 CEST6170853192.168.2.51.0.0.1
            Oct 25, 2024 22:42:31.081115961 CEST6170853192.168.2.51.0.0.1
            Oct 25, 2024 22:42:32.096662998 CEST6170853192.168.2.51.0.0.1
            Oct 25, 2024 22:42:34.099935055 CEST53617081.0.0.1192.168.2.5
            Oct 25, 2024 22:42:34.099956989 CEST53617081.0.0.1192.168.2.5
            Oct 25, 2024 22:42:34.099971056 CEST53617081.0.0.1192.168.2.5
            Oct 25, 2024 22:42:34.102605104 CEST6168253192.168.2.51.1.1.1
            Oct 25, 2024 22:42:34.110661030 CEST53616821.1.1.1192.168.2.5
            Oct 25, 2024 22:42:39.021408081 CEST6094353192.168.2.51.1.1.1
            Oct 25, 2024 22:42:40.034358025 CEST6094353192.168.2.51.1.1.1
            Oct 25, 2024 22:42:41.050566912 CEST6094353192.168.2.51.1.1.1
            Oct 25, 2024 22:42:41.850845098 CEST53609431.1.1.1192.168.2.5
            Oct 25, 2024 22:42:41.850912094 CEST53609431.1.1.1192.168.2.5
            Oct 25, 2024 22:42:41.850944042 CEST53609431.1.1.1192.168.2.5
            Oct 25, 2024 22:42:46.819441080 CEST6015853192.168.2.51.1.1.1
            Oct 25, 2024 22:42:46.827694893 CEST53601581.1.1.1192.168.2.5
            Oct 25, 2024 22:42:51.715835094 CEST6360853192.168.2.51.1.1.1
            Oct 25, 2024 22:42:51.731229067 CEST53636081.1.1.1192.168.2.5
            Oct 25, 2024 22:42:56.662388086 CEST5392853192.168.2.51.1.1.1
            Oct 25, 2024 22:42:57.674854994 CEST5392853192.168.2.51.1.1.1
            Oct 25, 2024 22:42:58.690238953 CEST5392853192.168.2.51.1.1.1
            Oct 25, 2024 22:43:00.672296047 CEST53539281.1.1.1192.168.2.5
            Oct 25, 2024 22:43:00.672324896 CEST53539281.1.1.1192.168.2.5
            Oct 25, 2024 22:43:00.672382116 CEST53539281.1.1.1192.168.2.5
            Oct 25, 2024 22:43:00.673898935 CEST6043553192.168.2.51.0.0.1
            Oct 25, 2024 22:43:01.659298897 CEST6043553192.168.2.51.0.0.1
            Oct 25, 2024 22:43:02.674717903 CEST6043553192.168.2.51.0.0.1
            Oct 25, 2024 22:43:04.674787998 CEST6043553192.168.2.51.0.0.1
            Oct 25, 2024 22:43:04.684063911 CEST53604351.0.0.1192.168.2.5
            Oct 25, 2024 22:43:04.684089899 CEST53604351.0.0.1192.168.2.5
            Oct 25, 2024 22:43:04.684099913 CEST53604351.0.0.1192.168.2.5
            Oct 25, 2024 22:43:04.684108973 CEST53604351.0.0.1192.168.2.5
            Oct 25, 2024 22:43:04.685112000 CEST5836753192.168.2.51.1.1.1
            Oct 25, 2024 22:43:04.693056107 CEST53583671.1.1.1192.168.2.5
            Oct 25, 2024 22:43:08.707689047 CEST6395453192.168.2.51.1.1.1
            Oct 25, 2024 22:43:09.721894026 CEST6395453192.168.2.51.1.1.1
            Oct 25, 2024 22:43:10.738728046 CEST6395453192.168.2.51.1.1.1
            Oct 25, 2024 22:43:12.718636990 CEST53639541.1.1.1192.168.2.5
            Oct 25, 2024 22:43:12.718656063 CEST53639541.1.1.1192.168.2.5
            Oct 25, 2024 22:43:12.718666077 CEST53639541.1.1.1192.168.2.5
            Oct 25, 2024 22:43:12.720448017 CEST6432553192.168.2.51.0.0.1
            Oct 25, 2024 22:43:12.728647947 CEST53643251.0.0.1192.168.2.5
            Oct 25, 2024 22:43:16.835148096 CEST6538053192.168.2.51.1.1.1
            Oct 25, 2024 22:43:17.831195116 CEST6538053192.168.2.51.1.1.1
            Oct 25, 2024 22:43:18.846802950 CEST6538053192.168.2.51.1.1.1
            Oct 25, 2024 22:43:20.846782923 CEST6538053192.168.2.51.1.1.1
            Oct 25, 2024 22:43:21.055761099 CEST53653801.1.1.1192.168.2.5
            Oct 25, 2024 22:43:21.055778980 CEST53653801.1.1.1192.168.2.5
            Oct 25, 2024 22:43:21.055788040 CEST53653801.1.1.1192.168.2.5
            Oct 25, 2024 22:43:21.056979895 CEST5838453192.168.2.51.0.0.1
            Oct 25, 2024 22:43:21.059556007 CEST53653801.1.1.1192.168.2.5
            Oct 25, 2024 22:43:21.064569950 CEST53583841.0.0.1192.168.2.5
            Oct 25, 2024 22:43:21.068819046 CEST5535453192.168.2.51.1.1.1
            Oct 25, 2024 22:43:22.065311909 CEST5535453192.168.2.51.1.1.1
            Oct 25, 2024 22:43:22.689182997 CEST53553541.1.1.1192.168.2.5
            Oct 25, 2024 22:43:22.689940929 CEST53553541.1.1.1192.168.2.5
            Oct 25, 2024 22:43:26.785197020 CEST6409653192.168.2.51.1.1.1
            Oct 25, 2024 22:43:32.639410019 CEST53640961.1.1.1192.168.2.5

            ICMP Packets

            TimestampSource IPDest IPChecksumCodeType
            Oct 25, 2024 22:43:21.059732914 CEST192.168.2.51.1.1.1c1ed(Port unreachable)Destination Unreachable
            Oct 25, 2024 22:43:22.690077066 CEST192.168.2.51.1.1.1c1fd(Port unreachable)Destination Unreachable

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Oct 25, 2024 22:41:59.291848898 CEST192.168.2.51.1.1.10xd63Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:05.176670074 CEST192.168.2.51.1.1.10x7242Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:10.753653049 CEST192.168.2.51.1.1.10x5387Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:11.753843069 CEST192.168.2.51.1.1.10x5387Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:12.768345118 CEST192.168.2.51.1.1.10x5387Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:13.495528936 CEST192.168.2.51.0.0.10x892dStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:18.457412958 CEST192.168.2.51.1.1.10x35f7Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:23.972742081 CEST192.168.2.51.1.1.10xa89Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:24.971518040 CEST192.168.2.51.1.1.10xa89Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:25.971577883 CEST192.168.2.51.1.1.10xa89Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:27.987413883 CEST192.168.2.51.1.1.10xa89Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:30.087723017 CEST192.168.2.51.0.0.10x5892Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:31.081115961 CEST192.168.2.51.0.0.10x5892Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:32.096662998 CEST192.168.2.51.0.0.10x5892Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:34.102605104 CEST192.168.2.51.1.1.10xcfe4Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:39.021408081 CEST192.168.2.51.1.1.10x3cbeStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:40.034358025 CEST192.168.2.51.1.1.10x3cbeStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:41.050566912 CEST192.168.2.51.1.1.10x3cbeStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:46.819441080 CEST192.168.2.51.1.1.10xb91bStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:51.715835094 CEST192.168.2.51.1.1.10xdbfbStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:56.662388086 CEST192.168.2.51.1.1.10xbc0eStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:57.674854994 CEST192.168.2.51.1.1.10xbc0eStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:58.690238953 CEST192.168.2.51.1.1.10xbc0eStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:00.673898935 CEST192.168.2.51.0.0.10x6c3fStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:01.659298897 CEST192.168.2.51.0.0.10x6c3fStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:02.674717903 CEST192.168.2.51.0.0.10x6c3fStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:04.674787998 CEST192.168.2.51.0.0.10x6c3fStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:04.685112000 CEST192.168.2.51.1.1.10x6c42Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:08.707689047 CEST192.168.2.51.1.1.10x4249Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:09.721894026 CEST192.168.2.51.1.1.10x4249Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:10.738728046 CEST192.168.2.51.1.1.10x4249Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:12.720448017 CEST192.168.2.51.0.0.10xf36dStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:16.835148096 CEST192.168.2.51.1.1.10x1733Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:17.831195116 CEST192.168.2.51.1.1.10x1733Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:18.846802950 CEST192.168.2.51.1.1.10x1733Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:20.846782923 CEST192.168.2.51.1.1.10x1733Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:21.056979895 CEST192.168.2.51.0.0.10x4314Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:21.068819046 CEST192.168.2.51.1.1.10x89f4Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:22.065311909 CEST192.168.2.51.1.1.10x89f4Standard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:26.785197020 CEST192.168.2.51.1.1.10xa01aStandard query (0)josh289232.duckdns.orgA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Oct 25, 2024 22:42:00.262368917 CEST1.1.1.1192.168.2.50xd63No error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:05.799783945 CEST1.1.1.1192.168.2.50x7242No error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:13.489847898 CEST1.1.1.1192.168.2.50x5387Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:13.489890099 CEST1.1.1.1192.168.2.50x5387Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:13.489981890 CEST1.1.1.1192.168.2.50x5387Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:13.626390934 CEST1.0.0.1192.168.2.50x892dNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:19.078959942 CEST1.1.1.1192.168.2.50x35f7No error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:30.085867882 CEST1.1.1.1192.168.2.50xa89Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:30.085903883 CEST1.1.1.1192.168.2.50xa89Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:30.085932016 CEST1.1.1.1192.168.2.50xa89Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:30.085958958 CEST1.1.1.1192.168.2.50xa89Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:34.099935055 CEST1.0.0.1192.168.2.50x5892Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:34.099956989 CEST1.0.0.1192.168.2.50x5892Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:34.099971056 CEST1.0.0.1192.168.2.50x5892Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:34.110661030 CEST1.1.1.1192.168.2.50xcfe4No error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:41.850845098 CEST1.1.1.1192.168.2.50x3cbeNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:41.850912094 CEST1.1.1.1192.168.2.50x3cbeNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:41.850944042 CEST1.1.1.1192.168.2.50x3cbeNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:46.827694893 CEST1.1.1.1192.168.2.50xb91bNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:42:51.731229067 CEST1.1.1.1192.168.2.50xdbfbNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:00.672296047 CEST1.1.1.1192.168.2.50xbc0eServer failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:00.672324896 CEST1.1.1.1192.168.2.50xbc0eServer failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:00.672382116 CEST1.1.1.1192.168.2.50xbc0eServer failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:04.684063911 CEST1.0.0.1192.168.2.50x6c3fServer failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:04.684089899 CEST1.0.0.1192.168.2.50x6c3fServer failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:04.684099913 CEST1.0.0.1192.168.2.50x6c3fServer failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:04.684108973 CEST1.0.0.1192.168.2.50x6c3fServer failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:04.693056107 CEST1.1.1.1192.168.2.50x6c42Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:12.718636990 CEST1.1.1.1192.168.2.50x4249Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:12.718656063 CEST1.1.1.1192.168.2.50x4249Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:12.718666077 CEST1.1.1.1192.168.2.50x4249Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:12.728647947 CEST1.0.0.1192.168.2.50xf36dNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:21.055761099 CEST1.1.1.1192.168.2.50x1733Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:21.055778980 CEST1.1.1.1192.168.2.50x1733Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:21.055788040 CEST1.1.1.1192.168.2.50x1733Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:21.059556007 CEST1.1.1.1192.168.2.50x1733Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:21.064569950 CEST1.0.0.1192.168.2.50x4314Server failure (2)josh289232.duckdns.orgnonenoneA (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:22.689182997 CEST1.1.1.1192.168.2.50x89f4No error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:22.689940929 CEST1.1.1.1192.168.2.50x89f4No error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
            Oct 25, 2024 22:43:32.639410019 CEST1.1.1.1192.168.2.50xa01aNo error (0)josh289232.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:16:41:57
            Start date:25/10/2024
            Path:C:\Users\user\Desktop\UOp1kufsuw.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\UOp1kufsuw.exe"
            Imagebase:0x860000
            File size:566'272 bytes
            MD5 hash:3B4EE472D9C872BA1D96B7A676E809BA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010879379.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010856655.0000000005D30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010902877.0000000005D50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010569730.0000000005950000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010345944.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010932431.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
            • Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000000.2063014436.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011260033.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011050016.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010804900.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010955468.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3011096842.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010644369.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000000.00000002.3010828111.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.3007308460.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.3009021651.00000000040EC000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low
            Has exited:true

            General

            Target ID:4
            Start time:16:43:28
            Start date:25/10/2024
            Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            Wow64 process (32bit):true
            Commandline:dw20.exe -x -s 2356
            Imagebase:0x10000000
            File size:36'264 bytes
            MD5 hash:89106D4D0BA99F770EAFE946EA81BB65
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:15.2%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:5.9%
              Total number of Nodes:219
              Total number of Limit Nodes:13
              execution_graph 18305 5271726 18306 5271755 AdjustTokenPrivileges 18305->18306 18308 5271777 18306->18308 18309 52715a6 18311 52715cf LookupPrivilegeValueW 18309->18311 18312 52715f6 18311->18312 18313 5270ea6 18315 5270edb GetFileType 18313->18315 18316 5270f08 18315->18316 18371 5271966 18372 52719c6 18371->18372 18373 527199b NtQuerySystemInformation 18371->18373 18372->18373 18374 52719b0 18373->18374 18375 5270f66 18376 5270f9b ReadFile 18375->18376 18378 5270fcd 18376->18378 18317 52718a2 18318 52718ce K32EnumProcesses 18317->18318 18320 52718ea 18318->18320 18379 5271de2 18380 5271e1a WSASocketW 18379->18380 18382 5271e56 18380->18382 18321 11daf9a 18322 11dafea CreateActCtxA 18321->18322 18323 11daff8 18322->18323 18383 527256e 18384 52725a6 MapViewOfFile 18383->18384 18386 52725f5 18384->18386 18387 11dac56 18388 11daca6 EnumThreadWindows 18387->18388 18389 11dacb4 18388->18389 18324 527012a 18326 5270162 CreateMutexW 18324->18326 18327 52701a5 18326->18327 18394 11dbed2 18396 11dbef8 DeleteFileW 18394->18396 18397 11dbf14 18396->18397 18328 52732b6 18331 52732eb WSARecv 18328->18331 18330 527332e 18331->18330 18398 5273776 18399 52737b1 getaddrinfo 18398->18399 18401 5273823 18399->18401 18402 5270776 18403 52707ab GetTokenInformation 18402->18403 18405 52707e8 18403->18405 18332 5270232 18333 527025e CloseHandle 18332->18333 18334 527029d 18332->18334 18335 527026c 18333->18335 18334->18333 18336 11da78a 18337 11da7ec 18336->18337 18338 11da7b6 closesocket 18336->18338 18337->18338 18339 11da7c4 18338->18339 18340 11db806 18341 11db83b SendMessageW 18340->18341 18342 11db866 18340->18342 18343 11db850 18341->18343 18342->18341 18410 11da546 18411 11da5bc 18410->18411 18412 11da584 DuplicateHandle 18410->18412 18411->18412 18413 11da592 18412->18413 18414 11db746 18415 11db7bc 18414->18415 18416 11db784 CreateIconFromResourceEx 18414->18416 18415->18416 18417 11db792 18416->18417 18418 5272dfa 18419 5272e2f bind 18418->18419 18421 5272e63 18419->18421 18344 5273986 18345 52739d6 FormatMessageW 18344->18345 18346 52739de 18345->18346 18422 5271d46 18423 5271d96 DnsQuery_A 18422->18423 18424 5271da4 18423->18424 18347 11dbe3e 18348 11dbe6a DispatchMessageW 18347->18348 18349 11dbe93 18347->18349 18350 11dbe7f 18348->18350 18349->18348 18425 11dbb7e 18426 11dbbb3 PostMessageW 18425->18426 18427 11dbbe7 18425->18427 18428 11dbbc8 18426->18428 18427->18426 18429 52731c2 18430 52731f7 WSASend 18429->18430 18432 527323a 18430->18432 18351 11dab3a 18352 11dab6f RegQueryValueExW 18351->18352 18354 11dabc3 18352->18354 18355 527138e 18356 52713f0 18355->18356 18357 52713ba GetSystemInfo 18355->18357 18356->18357 18358 52713c8 18357->18358 18359 5270d8e 18360 5270dc6 CreateFileW 18359->18360 18362 5270e15 18360->18362 18433 5270cce 18435 5270cf4 CreateDirectoryW 18433->18435 18436 5270d1b 18435->18436 18437 50b0660 18438 50b0665 18437->18438 18439 50b0674 18438->18439 18441 50b0682 18438->18441 18442 50b068f 18441->18442 18452 50b44a0 18442->18452 18456 50b44b0 18442->18456 18443 50b07e2 18459 50b5bf8 18443->18459 18463 50b5c08 18443->18463 18444 50b0806 18467 50b5df8 18444->18467 18471 50b5de8 18444->18471 18445 50b0812 18445->18439 18453 50b44af 18452->18453 18454 50b44cd 18452->18454 18475 50b45f0 18453->18475 18454->18443 18457 50b44cd 18456->18457 18458 50b45f0 6 API calls 18456->18458 18457->18443 18458->18457 18460 50b5c11 18459->18460 18461 50b5c15 18460->18461 18532 50b5c81 18460->18532 18461->18444 18464 50b5c11 18463->18464 18465 50b5c15 18464->18465 18466 50b5c81 2 API calls 18464->18466 18465->18444 18466->18465 18468 50b5e01 18467->18468 18469 50b5e05 18468->18469 18545 50b5e68 18468->18545 18469->18445 18472 50b5e01 18471->18472 18473 50b5e05 18472->18473 18474 50b5e68 2 API calls 18472->18474 18473->18445 18474->18473 18476 50b45ff 18475->18476 18480 50b4699 18476->18480 18494 50b46a8 18476->18494 18477 50b4640 18477->18454 18508 52702de 18480->18508 18512 52702ab 18480->18512 18481 50b46d9 18481->18477 18482 50b46d5 18482->18481 18516 52703ca 18482->18516 18520 5270390 18482->18520 18483 50b4765 18483->18477 18484 50b4700 18485 50b4757 18484->18485 18488 5270390 RegQueryValueExA 18484->18488 18489 52703ca RegQueryValueExA 18484->18489 18524 11da34e 18485->18524 18528 11da372 18485->18528 18488->18485 18489->18485 18496 50b46d5 18494->18496 18506 52702de RegOpenKeyExA 18494->18506 18507 52702ab RegOpenKeyExA 18494->18507 18495 50b46d9 18495->18477 18496->18495 18500 5270390 RegQueryValueExA 18496->18500 18501 52703ca RegQueryValueExA 18496->18501 18497 50b4700 18499 50b4757 18497->18499 18504 5270390 RegQueryValueExA 18497->18504 18505 52703ca RegQueryValueExA 18497->18505 18498 50b4765 18498->18477 18502 11da34e SetErrorMode 18499->18502 18503 11da372 SetErrorMode 18499->18503 18500->18497 18501->18497 18502->18498 18503->18498 18504->18499 18505->18499 18506->18496 18507->18496 18511 5270319 RegOpenKeyExA 18508->18511 18510 5270362 18510->18482 18511->18510 18513 52702de RegOpenKeyExA 18512->18513 18515 5270362 18513->18515 18515->18482 18517 5270405 RegQueryValueExA 18516->18517 18519 527046d 18517->18519 18519->18484 18521 52703ca RegQueryValueExA 18520->18521 18523 527046d 18521->18523 18523->18484 18525 11da372 SetErrorMode 18524->18525 18527 11da3b3 18525->18527 18527->18483 18529 11da39e SetErrorMode 18528->18529 18530 11da3c7 18528->18530 18531 11da3b3 18529->18531 18530->18529 18531->18483 18533 50b5c98 18532->18533 18537 52711cc 18533->18537 18541 52711fa 18533->18541 18534 50b5cb2 18534->18461 18540 52711da DeleteFileA 18537->18540 18539 5271272 18539->18534 18540->18539 18544 5271235 DeleteFileA 18541->18544 18543 5271272 18543->18534 18544->18543 18546 50b5e9a 18545->18546 18549 50b5ea2 18546->18549 18550 50b5fba 18546->18550 18555 50b5fc8 18546->18555 18549->18469 18551 50b5fd8 18550->18551 18560 52712a7 18551->18560 18564 52712da 18551->18564 18552 50b6004 18552->18549 18556 50b5fd8 18555->18556 18558 52712a7 SetKernelObjectSecurity 18556->18558 18559 52712da SetKernelObjectSecurity 18556->18559 18557 50b6004 18557->18549 18558->18557 18559->18557 18563 52712da SetKernelObjectSecurity 18560->18563 18562 5271329 18562->18552 18563->18562 18565 5271300 SetKernelObjectSecurity 18564->18565 18567 5271329 18565->18567 18567->18552 18568 527104a 18570 5271073 CopyFileW 18568->18570 18571 527109a 18570->18571 18363 11daa32 18364 11daa6a RegOpenKeyExW 18363->18364 18366 11daac0 18364->18366 18572 5271456 18573 527147f MessageBoxW 18572->18573 18575 52714b0 18573->18575 18576 11da8ee 18577 11da94b 18576->18577 18578 11da920 SetWindowLongW 18576->18578 18577->18578 18579 11da935 18578->18579 18367 5271112 18368 5271147 RegSetValueExW 18367->18368 18370 5271193 18368->18370 18580 5272fd2 18581 5273007 setsockopt 18580->18581 18583 5273041 18581->18583 18584 5272ada 18585 5272b0f GetProcessTimes 18584->18585 18587 5272b41 18585->18587

              Executed Functions

              Function 050B9370 Relevance: 3.0, Strings: 2, Instructions: 505COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 222 50b9370-50b93b5 226 50b93b7-50b93d0 222->226 230 50b93ce-50b93f2 226->230 231 50b93f4-50b93fb 226->231 241 50b9ac0-50b9acb 230->241 233 50b967a 231->233 234 50b9401-50b948f 231->234 236 50b9680-50b968a 233->236 327 50b949c 234->327 328 50b9472-50b949a 234->328 237 50b968c-50b96a1 236->237 238 50b96f1-50b9722 236->238 246 50b9abb 237->246 247 50b96a7-50b96b1 237->247 248 50b972f-50b9739 238->248 249 50b9724-50b972a 238->249 259 50b9acc 241->259 246->241 247->246 252 50b96b7-50b96c1 247->252 254 50b973b-50b9754 248->254 255 50b9756 248->255 253 50b97b0-50b97cd 249->253 252->246 257 50b96c7-50b96ec 252->257 267 50b983f-50b9884 253->267 268 50b97cf-50b97f3 253->268 258 50b9758-50b975a 254->258 255->258 257->241 263 50b975c-50b975e 258->263 264 50b9760-50b977a 258->264 259->259 263->253 264->253 272 50b977c-50b977f 264->272 373 50b9886 call 13305e0 267->373 374 50b9886 call 1330606 267->374 268->246 276 50b97f9-50b9800 268->276 274 50b9782-50b9787 272->274 274->246 278 50b978d-50b97ae 274->278 276->246 280 50b9806-50b9812 276->280 277 50b988c-50b98ae 281 50b9903-50b9912 277->281 282 50b98b0-50b98b4 277->282 278->253 278->274 280->246 284 50b9818-50b9824 280->284 287 50b991b-50b991f 281->287 288 50b9914-50b9919 281->288 282->281 285 50b98b6-50b98b9 282->285 284->246 289 50b982a-50b983a 284->289 291 50b98bc-50b98c6 285->291 287->246 293 50b9925-50b992d 287->293 292 50b9981-50b9985 288->292 289->226 291->246 296 50b98cc-50b98e1 291->296 294 50b99da-50b99f4 292->294 295 50b9987-50b998e 292->295 293->246 297 50b9933-50b9940 293->297 312 50b99f6-50b9a0c 294->312 295->294 299 50b9990-50b99a2 295->299 296->246 301 50b98e7-50b98f4 296->301 297->246 298 50b9946-50b9953 297->298 298->246 302 50b9959-50b9976 298->302 309 50b99cd-50b99d8 299->309 310 50b99a4-50b99a7 299->310 301->246 304 50b98fa-50b9901 301->304 302->292 304->281 304->291 309->312 314 50b99aa-50b99af 310->314 316 50b9a0e-50b9a3e 312->316 317 50b9a40-50b9a44 312->317 314->246 318 50b99b5-50b99bd 314->318 316->317 321 50b9aa3-50b9ab9 317->321 322 50b9a46-50b9a7f 317->322 318->246 323 50b99c3-50b99cb 318->323 321->241 322->321 333 50b9a81-50b9a9d 322->333 323->309 323->314 332 50b949e-50b94ac 327->332 328->332 334 50b94bb-50b94bd 332->334 335 50b94ae-50b94b9 332->335 333->321 336 50b94c3-50b94c5 334->336 335->336 338 50b94d1-50b94f3 336->338 339 50b94c7 336->339 343 50b9510-50b9513 338->343 344 50b94f5-50b9504 338->344 339->338 346 50b951c-50b9566 343->346 347 50b9515 343->347 344->343 345 50b9506 344->345 345->343 352 50b9568-50b9585 346->352 353 50b9587-50b9595 346->353 347->346 356 50b95a0-50b95dc 352->356 353->356 359 50b95de-50b95e5 356->359 360 50b95ed-50b9603 356->360 359->360 363 50b9613-50b9621 360->363 364 50b9605-50b9609 360->364 368 50b9627 call 13305e0 363->368 369 50b9627 call 50b9f5f 363->369 370 50b9627 call 1330606 363->370 371 50b9627 call 50b9f70 363->371 372 50b9627 call 50ba037 363->372 364->363 365 50b960b-50b960d 364->365 365->363 366 50b962d-50b966c 366->236 367 50b966e-50b9678 366->367 367->236 368->366 369->366 370->366 371->366 372->366 373->277 374->277
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: f`k$f`k
              • API String ID: 0-3251778840
              • Opcode ID: a402f923628bfa692f7366ba309ce63870e6787604eb7d0c3b963e0655590043
              • Instruction ID: 488f247cb1dd702cc0894de66a4b2f2ec05e7b0eff008cfcb3c299d037808819
              • Opcode Fuzzy Hash: a402f923628bfa692f7366ba309ce63870e6787604eb7d0c3b963e0655590043
              • Instruction Fuzzy Hash: 0112BC70A20619CFEB14CF24E4D46ADBBF2BF84304F14896AD526DB394DBB5A841CF81
              Function 050B23A0 Relevance: 3.0, Strings: 2, Instructions: 505COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 66 50b23a0-50b23d3 67 50b23dc-50b23e5 66->67 68 50b23d5-50b23da 66->68 67->68 70 50b23e7-50b23f0 68->70 212 50b23f2 call 13305e0 70->212 213 50b23f2 call 1330606 70->213 71 50b23f8-50b2400 74 50b23fe-50b2422 71->74 75 50b2424-50b242b 71->75 81 50b2af3-50b2afe 74->81 82 50b2407-50b241a 74->82 77 50b26aa 75->77 78 50b2431-50b24bf 75->78 79 50b26b0-50b26ba 77->79 171 50b24cc 78->171 172 50b24a2-50b24ca 78->172 83 50b26bc-50b26d1 79->83 84 50b2721-50b2752 79->84 96 50b2aff 81->96 82->81 93 50b2aee 83->93 94 50b26d7-50b26e1 83->94 91 50b275f-50b2769 84->91 92 50b2754-50b275a 84->92 98 50b276b-50b2784 91->98 99 50b2786 91->99 97 50b27e0-50b27fd 92->97 93->81 94->93 100 50b26e7-50b26f1 94->100 96->96 111 50b286f-50b28de 97->111 112 50b27ff-50b2823 97->112 103 50b2788-50b278a 98->103 99->103 100->93 102 50b26f7-50b271c 100->102 102->81 104 50b278c-50b278e 103->104 105 50b2790-50b27aa 103->105 104->97 105->97 116 50b27ac-50b27af 105->116 125 50b2933-50b2942 111->125 126 50b28e0-50b28e4 111->126 112->93 120 50b2829-50b2830 112->120 118 50b27b2-50b27b7 116->118 118->93 122 50b27bd-50b27de 118->122 120->93 124 50b2836-50b2842 120->124 122->97 122->118 124->93 128 50b2848-50b2854 124->128 132 50b294b-50b294f 125->132 133 50b2944-50b2949 125->133 126->125 130 50b28e6-50b28e9 126->130 128->93 129 50b285a-50b286a 128->129 129->70 135 50b28ec-50b28f6 130->135 132->93 137 50b2955-50b295d 132->137 136 50b29b1-50b29b5 133->136 135->93 141 50b28fc-50b2911 135->141 139 50b2a0a-50b2a24 136->139 140 50b29b7-50b29be 136->140 137->93 138 50b2963-50b2970 137->138 138->93 142 50b2976-50b2983 138->142 156 50b2a26-50b2a3c 139->156 140->139 143 50b29c0-50b29c2 140->143 141->93 145 50b2917-50b2924 141->145 142->93 146 50b2989-50b29a6 142->146 149 50b29cc-50b29d2 143->149 145->93 148 50b292a-50b2931 145->148 146->136 148->125 148->135 153 50b29fd-50b2a08 149->153 154 50b29d4-50b29d7 149->154 153->156 158 50b29da-50b29df 154->158 160 50b2a3e-50b2a6e 156->160 161 50b2a70-50b2a74 156->161 158->93 162 50b29e5-50b29ed 158->162 160->161 165 50b2ad6-50b2aec 161->165 166 50b2a76-50b2a89 161->166 162->93 167 50b29f3-50b29fb 162->167 165->81 214 50b2a8b call 13305e0 166->214 215 50b2a8b call 1330606 166->215 167->153 167->158 176 50b24ce-50b24dc 171->176 172->176 175 50b2a91-50b2ab2 175->165 177 50b2ab4-50b2ad0 175->177 178 50b24eb-50b24ed 176->178 179 50b24de-50b24e9 176->179 177->165 180 50b24f3-50b24f5 178->180 179->180 183 50b2501-50b2523 180->183 184 50b24f7 180->184 187 50b2540-50b2543 183->187 188 50b2525-50b2534 183->188 184->183 190 50b254c-50b256b 187->190 191 50b2545 187->191 188->187 189 50b2536 188->189 189->187 220 50b256d call 13305e0 190->220 221 50b256d call 1330606 190->221 191->190 193 50b2573-50b2596 196 50b2598-50b25b5 193->196 197 50b25b7-50b25c5 193->197 200 50b25d0-50b260c 196->200 197->200 203 50b260e-50b2615 200->203 204 50b261d-50b2633 200->204 203->204 207 50b2643-50b264b 204->207 208 50b2635-50b2639 204->208 216 50b2651 call 13305e0 207->216 217 50b2651 call 50b2fa8 207->217 218 50b2651 call 1330606 207->218 219 50b2651 call 50b2f97 207->219 208->207 209 50b263b-50b263d 208->209 209->207 210 50b2657-50b269c 210->79 211 50b269e-50b26a8 210->211 211->79 212->71 213->71 214->175 215->175 216->210 217->210 218->210 219->210 220->193 221->193
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: f`k$f`k
              • API String ID: 0-3251778840
              • Opcode ID: de072aae270aed8d220cb77ff319ba0817fa48cb1ad1d5f4255bb7fafdee60d2
              • Instruction ID: 49e27f06cf44ae613c6ced9f400478d87f170e0ef90031ec28ef407b5b57d6a3
              • Opcode Fuzzy Hash: de072aae270aed8d220cb77ff319ba0817fa48cb1ad1d5f4255bb7fafdee60d2
              • Instruction Fuzzy Hash: BC12F178A0021ACFE728DFA4E4846ADB7F3BF84304F158579D426DB659DBB4D882CB41
              Function 050BBAC0 Relevance: 3.0, Strings: 2, Instructions: 505COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 375 50bbac0-50bbb05 379 50bbb07-50bbb20 375->379 383 50bbb1e-50bbb42 379->383 384 50bbb44-50bbb4b 379->384 394 50bc210-50bc21b 383->394 386 50bbdca 384->386 387 50bbb51-50bbbdf 384->387 389 50bbdd0-50bbdda 386->389 481 50bbbec 387->481 482 50bbbc2-50bbbea 387->482 390 50bbddc-50bbdf1 389->390 391 50bbe41-50bbe72 389->391 399 50bc20b 390->399 400 50bbdf7-50bbe01 390->400 401 50bbe7f-50bbe89 391->401 402 50bbe74-50bbe7a 391->402 411 50bc21c 394->411 399->394 400->399 405 50bbe07-50bbe11 400->405 407 50bbe8b-50bbea4 401->407 408 50bbea6 401->408 406 50bbf00-50bbf1d 402->406 405->399 410 50bbe17-50bbe3c 405->410 420 50bbf8f-50bbffe 406->420 421 50bbf1f-50bbf43 406->421 412 50bbea8-50bbeaa 407->412 408->412 410->394 411->411 416 50bbeac-50bbeae 412->416 417 50bbeb0-50bbeca 412->417 416->406 417->406 425 50bbecc-50bbecf 417->425 434 50bc053-50bc062 420->434 435 50bc000-50bc004 420->435 421->399 429 50bbf49-50bbf50 421->429 427 50bbed2-50bbed7 425->427 427->399 431 50bbedd-50bbefe 427->431 429->399 433 50bbf56-50bbf62 429->433 431->406 431->427 433->399 437 50bbf68-50bbf74 433->437 440 50bc06b-50bc06f 434->440 441 50bc064-50bc069 434->441 435->434 438 50bc006-50bc009 435->438 437->399 442 50bbf7a-50bbf8a 437->442 444 50bc00c-50bc016 438->444 440->399 446 50bc075-50bc07d 440->446 445 50bc0d1-50bc0d5 441->445 442->379 444->399 449 50bc01c-50bc031 444->449 447 50bc12a-50bc144 445->447 448 50bc0d7-50bc0de 445->448 446->399 450 50bc083-50bc090 446->450 465 50bc146-50bc15c 447->465 448->447 451 50bc0e0-50bc0f2 448->451 449->399 453 50bc037-50bc044 449->453 450->399 454 50bc096-50bc0a3 450->454 462 50bc11d-50bc128 451->462 463 50bc0f4-50bc0f7 451->463 453->399 457 50bc04a-50bc051 453->457 454->399 455 50bc0a9-50bc0c6 454->455 455->445 457->434 457->444 462->465 467 50bc0fa-50bc0ff 463->467 468 50bc15e-50bc18e 465->468 469 50bc190-50bc194 465->469 467->399 470 50bc105-50bc10d 467->470 468->469 474 50bc1f3-50bc209 469->474 475 50bc196-50bc1cf 469->475 470->399 476 50bc113-50bc11b 470->476 474->394 475->474 486 50bc1d1-50bc1ed 475->486 476->462 476->467 485 50bbbee-50bbbfc 481->485 482->485 487 50bbc0b-50bbc0d 485->487 488 50bbbfe-50bbc09 485->488 486->474 489 50bbc13-50bbc15 487->489 488->489 491 50bbc21-50bbc43 489->491 492 50bbc17 489->492 496 50bbc60-50bbc63 491->496 497 50bbc45-50bbc54 491->497 492->491 499 50bbc6c-50bbcb6 496->499 500 50bbc65 496->500 497->496 498 50bbc56 497->498 498->496 505 50bbcb8-50bbcd5 499->505 506 50bbcd7-50bbce5 499->506 500->499 509 50bbcf0-50bbd2c 505->509 506->509 512 50bbd2e-50bbd35 509->512 513 50bbd3d-50bbd53 509->513 512->513 516 50bbd63-50bbd6b 513->516 517 50bbd55-50bbd59 513->517 521 50bbd71 call 13305e0 516->521 522 50bbd71 call 1330606 516->522 517->516 518 50bbd5b-50bbd5d 517->518 518->516 519 50bbd77-50bbdbc 519->389 520 50bbdbe-50bbdc8 519->520 520->389 521->519 522->519
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: f`k$f`k
              • API String ID: 0-3251778840
              • Opcode ID: 9fb31bcf1ca7ebd0b479a41923fc711751de0174ac5f1b8cd44e6d0d985fd81a
              • Instruction ID: d4be0341a1ae55aa81438a5d5b4de259e6f05b6a94433d975503268b331151bf
              • Opcode Fuzzy Hash: 9fb31bcf1ca7ebd0b479a41923fc711751de0174ac5f1b8cd44e6d0d985fd81a
              • Instruction Fuzzy Hash: E612BB70A0061ACFEB14DFA9E491AADBBF3BB84304F14856AD4229B355DBB5DC46CF40
              Function 050BE2C8 Relevance: 2.0, Strings: 1, Instructions: 747COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: r
              • API String ID: 0-1812594589
              • Opcode ID: 4f54971d688863e8a26d446bfe29e249106d46f7298e6400b30473f12ccf28c4
              • Instruction ID: c4473b1f480643f7f7339910a004e9ee5320b7fd6a612855bb9ce605a79d314a
              • Opcode Fuzzy Hash: 4f54971d688863e8a26d446bfe29e249106d46f7298e6400b30473f12ccf28c4
              • Instruction Fuzzy Hash: 55721270A0060A9FDB14CF58D584AEEBBF6FF88310F248669D41AAB751D770E985CF90
              Function 052716EF Relevance: 1.6, APIs: 1, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0527176F
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: AdjustPrivilegesToken
              • String ID:
              • API String ID: 2874748243-0
              • Opcode ID: f1f51057480dae807427be51af16c194bbb87d7c14711d829d24fc4014cfff05
              • Instruction ID: 47f74be544fcde6a7669e3b5ff5b9eb517829be1fbc139a58d84cf4ce28b8c05
              • Opcode Fuzzy Hash: f1f51057480dae807427be51af16c194bbb87d7c14711d829d24fc4014cfff05
              • Instruction Fuzzy Hash: 6421AB755097849FDB22CF25DC45B62BFF8EF06210F0884DAE9898B163D331A918DB62
              Function 05272DDA Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
              Download Yara Rule
              APIs
              • bind.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05272E5B
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: bind
              • String ID:
              • API String ID: 1187836755-0
              • Opcode ID: 44d746be190c1e739a6383897e186ae0c59468f7ec67d8f7f1f2215b4c84280e
              • Instruction ID: c0c50106cc2885779b669c8061de313ac54431ea261658e621b0b30e82950a1d
              • Opcode Fuzzy Hash: 44d746be190c1e739a6383897e186ae0c59468f7ec67d8f7f1f2215b4c84280e
              • Instruction Fuzzy Hash: E621C275508384AFD721CB15CC44FA7BBB8EF46210F08849BE948DB252D334E548CBB2
              Function 052732B6 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
              Download Yara Rule
              APIs
              • WSARecv.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05273326
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Recv
              • String ID:
              • API String ID: 4192927123-0
              • Opcode ID: 2a45b2fa061e3dc422bf4cbc569d7d127a300d1ecc2e774067a79196efab4d99
              • Instruction ID: 416434862c942bfda170ba7c916e7e2a9542cada3c625051ab1e9869eb7320d5
              • Opcode Fuzzy Hash: 2a45b2fa061e3dc422bf4cbc569d7d127a300d1ecc2e774067a79196efab4d99
              • Instruction Fuzzy Hash: 8E11C072500208AFEB21CF59CC44FA6BBE8EF15724F04885AE949CA651D770E5488BB2
              Function 0527192B Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
              Download Yara Rule
              APIs
              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052719A1
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: InformationQuerySystem
              • String ID:
              • API String ID: 3562636166-0
              • Opcode ID: 4c2b34d9cb9ba2cf57705e89459e314b4a2a8be13775ce1849878228a35d594f
              • Instruction ID: 267fe9ff7b397950d934d56d2bd3d0e9ea9215edac41f40b661a96d7afea76f1
              • Opcode Fuzzy Hash: 4c2b34d9cb9ba2cf57705e89459e314b4a2a8be13775ce1849878228a35d594f
              • Instruction Fuzzy Hash: 2B21AE754097C0AFDB238F20DC45A62FFB0EF17214F0984CBE9844B1A3D265A919DB62
              Function 05272DFA Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • bind.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05272E5B
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: bind
              • String ID:
              • API String ID: 1187836755-0
              • Opcode ID: 6860e1fae12c9b4b6974104b451ba4af61cb638445973f4722480a4a5d3bd788
              • Instruction ID: 2cd8c046cbe3f277e11cbf5ddc08959d1822038dfe9521e9dca157deaa219c9d
              • Opcode Fuzzy Hash: 6860e1fae12c9b4b6974104b451ba4af61cb638445973f4722480a4a5d3bd788
              • Instruction Fuzzy Hash: 1211D075600244AFE720CF15CC44FA6B7ECEF05624F08846AEA49DB641D370E5488AB2
              Function 05271726 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0527176F
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: AdjustPrivilegesToken
              • String ID:
              • API String ID: 2874748243-0
              • Opcode ID: 7f698266c8020bf6eb27517c6dc8d7b27a7a44d917fb5efd0c020f65c2825805
              • Instruction ID: c96e4946041da1ef4efd5fd1acd470c83a4bcafe23ca178ecb283911abbc2a98
              • Opcode Fuzzy Hash: 7f698266c8020bf6eb27517c6dc8d7b27a7a44d917fb5efd0c020f65c2825805
              • Instruction Fuzzy Hash: 0011C235A102049FDB20CF55D845B62FBE4FF05320F08C4AADD4A8B651D371E428CF62
              Function 0527138E Relevance: 1.5, APIs: 1, Instructions: 39COMMON
              Download Yara Rule
              APIs
              • GetSystemInfo.KERNELBASE(?), ref: 052713C0
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: InfoSystem
              • String ID:
              • API String ID: 31276548-0
              • Opcode ID: c0610f877fc01478ce1bec1a6a48e1bff14f410ec36277552696a53d8486eef8
              • Instruction ID: eba210f1da6385c5dfb486e1573b136b4b771f074a3e5e5d24029ae5cd844f50
              • Opcode Fuzzy Hash: c0610f877fc01478ce1bec1a6a48e1bff14f410ec36277552696a53d8486eef8
              • Instruction Fuzzy Hash: F601D1759142449FDB20CF15D885B66FBE4EF06724F08C4AADD498F742D3B5E418CEA2
              Function 05271966 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
              Download Yara Rule
              APIs
              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052719A1
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: InformationQuerySystem
              • String ID:
              • API String ID: 3562636166-0
              • Opcode ID: 1a7cb71f00e682baf9e90cac68bfbee3e3b38617fb399511d4bfa0e9f3a6d5dc
              • Instruction ID: 1ebae3f242c41ccb7240987c2412319e35007d22e84a4654afad2e21ac3828d5
              • Opcode Fuzzy Hash: 1a7cb71f00e682baf9e90cac68bfbee3e3b38617fb399511d4bfa0e9f3a6d5dc
              • Instruction Fuzzy Hash: CB018B35910644DFDB20CF15D884B66FBE0EF19620F08C49ADE890A652D3B5E528CFA2
              Function 050B3850 Relevance: .8, Instructions: 849COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0c1e66ad83d1b5c6b923cca62e256619daa01ca0426f15343a794ae91dc23081
              • Instruction ID: e2a487276df801ce7174de8a9556c9c287cd6af0f1e5ef42fffa91c2ebdfdbac
              • Opcode Fuzzy Hash: 0c1e66ad83d1b5c6b923cca62e256619daa01ca0426f15343a794ae91dc23081
              • Instruction Fuzzy Hash: 5B62E031A042069FDB14CF68D8809FEBBF2FF85304B2989AAD4199F252C771E845CB91
              Function 050B9F70 Relevance: .2, Instructions: 239COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39252dd2630035b4a9b11f4b5be70471f0aeba6f044fee9e08bb79bf30d9333a
              • Instruction ID: 32ffed2825edd6dee3915116d6403a8333b8b180038c8bcf13f9cbd8bbde6c6c
              • Opcode Fuzzy Hash: 39252dd2630035b4a9b11f4b5be70471f0aeba6f044fee9e08bb79bf30d9333a
              • Instruction Fuzzy Hash: 5281B332F111199BEB54DB69E880AAEB7E3AFC8314F298475E405DB359DF71DC018B90
              Function 050B2FA8 Relevance: .2, Instructions: 239COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 69bdead3bf1b6e54561382487a2106a1f03a1cf023b58ece11c76e18558d9e27
              • Instruction ID: 32adc2b0f21b1d9271e69cab547b17e19c91fa7d5bd0346b5352d54cad609262
              • Opcode Fuzzy Hash: 69bdead3bf1b6e54561382487a2106a1f03a1cf023b58ece11c76e18558d9e27
              • Instruction Fuzzy Hash: 3A81A032F111159BEB44DB69E894AEEB7E3AFC8314F2A8474E405EB369DF719C018790
              Function 050BA037 Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da069a01d47b2075f8031390486f7b7c97864cf9435a4962f6b8918cf90f150a
              • Instruction ID: 7404f1b7521d7b9b34d3e2590e861f42d79f702f303a243cdbd9d49899a101fc
              • Opcode Fuzzy Hash: da069a01d47b2075f8031390486f7b7c97864cf9435a4962f6b8918cf90f150a
              • Instruction Fuzzy Hash: 23518F32F121159BD744DB69D880AAEB7E3AFC8214F2A8074E405EB769DE74ED018B90
              Function 050B09A9 Relevance: 5.2, Strings: 4, Instructions: 177COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 50b09a9-50b09dc 50 50b09de call 50b0baf 0->50 51 50b09de call 50b0bc0 0->51 5 50b09e4-50b09ef 56 50b09f5 call 50b1209 5->56 57 50b09f5 call 50b1218 5->57 58 50b09f5 call 13305e0 5->58 59 50b09f5 call 1330606 5->59 7 50b09fb-50b0a2c 60 50b0a2e call 13305e0 7->60 61 50b0a2e call 1330606 7->61 62 50b0a2e call 50b1292 7->62 63 50b0a2e call 50b12a0 7->63 11 50b0a34-50b0a46 12 50b0a4c-50b0a56 11->12 13 50b0b00-50b0b39 11->13 14 50b0a58-50b0a5a 12->14 15 50b0a64-50b0a92 12->15 25 50b0b3f-50b0b55 13->25 26 50b0b37-50b0b3d 13->26 14->15 15->13 21 50b0a94-50b0a9e 15->21 23 50b0aac-50b0ace 21->23 24 50b0aa0-50b0aa2 21->24 64 50b0ad0 call 13305e0 23->64 65 50b0ad0 call 1330606 23->65 24->23 34 50b0b5b-50b0b6e 25->34 35 50b0b53-50b0b59 25->35 28 50b0ba7-50b0bac 26->28 42 50b0b6c-50b0b72 34->42 43 50b0b74-50b0b81 34->43 35->28 36 50b0ad6 52 50b0ad9 call 13305e0 36->52 53 50b0ad9 call 1330606 36->53 54 50b0ad9 call 50b3840 36->54 55 50b0ad9 call 50b3850 36->55 39 50b0adf-50b0aeb 42->28 46 50b0b83-50b0b85 43->46 47 50b0b87-50b0ba5 43->47 46->28 47->28 50->5 51->5 52->39 53->39 54->39 55->39 56->7 57->7 58->7 59->7 60->11 61->11 62->11 63->11 64->36 65->36
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: \Ol$\Ol$\Ol$\Ol
              • API String ID: 0-371742063
              • Opcode ID: d8854ad424630c8f47dabfbff37154fa2e58cc7dc694aaf42ea364da604f35a7
              • Instruction ID: cd396dd295d9aacee42f2a5d264ec6e77a63a12318db6a566ef5dccdc2fce38e
              • Opcode Fuzzy Hash: d8854ad424630c8f47dabfbff37154fa2e58cc7dc694aaf42ea364da604f35a7
              • Instruction Fuzzy Hash: 9551A235B001159FDB19DBA4E8A8EBEB7F2AF84308F108469D4179B264DB719C06CB81
              Function 050B02E8 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 523 50b02e8-50b0316 524 50b032a-50b0337 523->524 525 50b0318-50b0324 523->525 529 50b0339-50b0353 524->529 530 50b03a5-50b03d0 524->530 525->524 528 50b0506-50b0510 525->528 533 50b0357 529->533 534 50b0355 529->534 542 50b0373-50b038a 530->542 543 50b03d2-50b03dc 530->543 535 50b035a-50b036d 533->535 534->535 541 50b051c-50b0595 535->541 535->542 567 50b059b-50b05b5 541->567 568 50b0597-50b059a 541->568 549 50b038e 542->549 550 50b038c 542->550 544 50b03ef 543->544 545 50b03de-50b03e5 543->545 548 50b03f6-50b0413 544->548 545->544 554 50b03f8-50b040b 548->554 555 50b04c2-50b04df 548->555 551 50b0391-50b03a3 549->551 550->551 551->543 554->555 560 50b04e3 555->560 561 50b04e1 555->561 563 50b04e6-50b04fa 560->563 561->563 570 50b04fb 563->570 567->568 570->570
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: :@k$dSl
              • API String ID: 0-2366181727
              • Opcode ID: 2e9b4ff9cf6763e06bd428b61de94fc9571a5ecd15c9355c6fa89d558d746c93
              • Instruction ID: 1b7c42c27bd11f7acdc27e8be2ad125f0cac450f8f74d8175695dddd2ec786b5
              • Opcode Fuzzy Hash: 2e9b4ff9cf6763e06bd428b61de94fc9571a5ecd15c9355c6fa89d558d746c93
              • Instruction Fuzzy Hash: ED51A074B04205CFDB18DF64D5A8AAE77F3BF89314F148069D406AB7A0DB71AC45CB92
              Function 050B9D20 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 571 50b9d20-50b9d52 575 50b9d59 571->575 576 50b9d54 571->576 609 50b9d59 call 50b9e88 575->609 610 50b9d59 call 50b9d10 575->610 611 50b9d59 call 50b9d20 575->611 577 50b9e65-50b9e6c 576->577 578 50b9d5f-50b9d61 579 50b9d68-50b9ddb 578->579 580 50b9d63 578->580 584 50b9e6f-50b9e89 579->584 585 50b9d87-50b9d91 579->585 580->577 591 50b9e91-50b9e93 584->591 585->584 586 50b9d97-50b9da1 585->586 586->584 587 50b9da7-50b9db1 586->587 587->584 589 50b9db7-50b9dea 587->589 601 50b9e3e-50b9e42 589->601 593 50b9e99-50b9e9f 591->593 594 50b9e95-50b9e98 591->594 602 50b9dec-50b9e01 601->602 603 50b9e44 601->603 602->584 605 50b9e03-50b9e2f 602->605 604 50b9e46-50b9e48 603->604 604->584 606 50b9e4a-50b9e54 604->606 605->584 607 50b9e31-50b9e3b 605->607 606->604 608 50b9e56-50b9e62 606->608 607->601 608->577 609->578 610->578 611->578
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: $hQ`
              • API String ID: 0-157799972
              • Opcode ID: 30a359e2254afbcdb62737c0a69a515bac2751a58a8d18bdd6d7c97b3e43af82
              • Instruction ID: c2dcb6854185db07adde37bd2055b0b6c68fb3b17504b7c454cb19f2981d2834
              • Opcode Fuzzy Hash: 30a359e2254afbcdb62737c0a69a515bac2751a58a8d18bdd6d7c97b3e43af82
              • Instruction Fuzzy Hash: F541E431F046098BEB10DF65D8C06FEB7A7EB80214F24CD36C6269B705D7B6E8428B91
              Function 05271C9D Relevance: 1.6, APIs: 1, Instructions: 120networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 780 5271c9d-5271cef 781 5271d11-5271d43 780->781 782 5271cf1-5271d10 780->782 786 5271d46-5271d9e DnsQuery_A 781->786 782->781 788 5271da4-5271dba 786->788
              APIs
              • DnsQuery_A.DNSAPI(?,00000E24,?,?), ref: 05271D96
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Query_
              • String ID:
              • API String ID: 428220571-0
              • Opcode ID: cd31be4c68e2614f6daf573559171d6e44397471a01a697195c79e90aa23fb02
              • Instruction ID: 79cad686edab927daa920080c6a729ca3bdfc8f26d09df56718746817a24be2b
              • Opcode Fuzzy Hash: cd31be4c68e2614f6daf573559171d6e44397471a01a697195c79e90aa23fb02
              • Instruction Fuzzy Hash: BF41446650E7C15FD3138B308C21A61BFB4AF47614B0E85CBE884CF6A3D6696909C7B2
              Function 05273735 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 789 5273735-5273743 790 5273745-527374a 789->790 791 527374d-5273813 789->791 790->791 797 5273865-527386a 791->797 798 5273815-527381d getaddrinfo 791->798 797->798 799 5273823-5273835 798->799 801 5273837-5273862 799->801 802 527386c-5273871 799->802 802->801
              APIs
              • getaddrinfo.WS2_32(?,00000E24), ref: 0527381B
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: getaddrinfo
              • String ID:
              • API String ID: 300660673-0
              • Opcode ID: 0300fe310982af3262d28ecd498e1d43811ba0fb7b44bce0cd058c513a1f07fc
              • Instruction ID: 9d3046c9c645594a6c631451d934355318ea97140e2e15df3f17a358991903f3
              • Opcode Fuzzy Hash: 0300fe310982af3262d28ecd498e1d43811ba0fb7b44bce0cd058c513a1f07fc
              • Instruction Fuzzy Hash: C131C971509384AFE722CB61CC54FA6BFB8EF06314F0844DAE9889B192D375A94DC771
              Function 05270736 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 819 5270736-52707d8 825 5270825-527082a 819->825 826 52707da-52707e2 GetTokenInformation 819->826 825->826 828 52707e8-52707fa 826->828 829 527082c-5270831 828->829 830 52707fc-5270822 828->830 829->830
              APIs
              • GetTokenInformation.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 052707E0
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: InformationToken
              • String ID:
              • API String ID: 4114910276-0
              • Opcode ID: e273fbff76aee57ec5e14fdf8df3ee65f91b0c6eaf20d06956bcef1c5bbf6fd5
              • Instruction ID: 9317312ecd7bb6dd656745bb409d81e54df4ffd12e45851c24b62787510e0b9c
              • Opcode Fuzzy Hash: e273fbff76aee57ec5e14fdf8df3ee65f91b0c6eaf20d06956bcef1c5bbf6fd5
              • Instruction Fuzzy Hash: 5F31A1715057846FD722CF64DC54FA6BFB8EF06314F08849AE984CB552D234A948CBA1
              Function 05270390 Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 806 5270390-5270456 811 527049b-52704a0 806->811 812 5270458-527046b RegQueryValueExA 806->812 811->812 813 52704a2-52704a7 812->813 814 527046d-5270498 812->814 813->814
              APIs
              • RegQueryValueExA.KERNELBASE(?,00000E24), ref: 0527045E
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 9e257e2cb8056fcfb3db2d095617c4bd801dbcb4beffc987f9a033c4ef767ed3
              • Instruction ID: 5809a9be013d22e1abc19c90434efe288a33e63530144fb49cab6e4817064e1b
              • Opcode Fuzzy Hash: 9e257e2cb8056fcfb3db2d095617c4bd801dbcb4beffc987f9a033c4ef767ed3
              • Instruction Fuzzy Hash: EE31B2714043846FE7228F51CC55FE6FBB8EF06314F04489EF9858B592D365A949CB61
              Function 011DAA02 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 833 11daa02-11daa8d 837 11daa8f 833->837 838 11daa92-11daaa9 833->838 837->838 840 11daaeb-11daaf0 838->840 841 11daaab-11daabe RegOpenKeyExW 838->841 840->841 842 11daac0-11daae8 841->842 843 11daaf2-11daaf7 841->843 843->842
              APIs
              • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 011DAAB1
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Open
              • String ID:
              • API String ID: 71445658-0
              • Opcode ID: 0746ad2b2162778557d1921ac7f6638642a8bada200ac3a914d3395dbeff2e75
              • Instruction ID: 447aafe64a0572f7b8489a5fd338dff097bb24216197bfe98e451a7f9a81d1af
              • Opcode Fuzzy Hash: 0746ad2b2162778557d1921ac7f6638642a8bada200ac3a914d3395dbeff2e75
              • Instruction Fuzzy Hash: 5C31C272504380AFE722CB55DC45FA7BFBCEF06210F08859AE9848B652D364E94DCB72
              Function 05270D68 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 848 5270d68-5270de6 852 5270deb-5270df7 848->852 853 5270de8 848->853 854 5270dfc-5270e05 852->854 855 5270df9 852->855 853->852 856 5270e07-5270e2b CreateFileW 854->856 857 5270e56-5270e5b 854->857 855->854 860 5270e5d-5270e62 856->860 861 5270e2d-5270e53 856->861 857->856 860->861
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05270E0D
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: a2652424e540d70b5e9aba8261d41aaae600195ac17ccc0e4712b5dbbaf56124
              • Instruction ID: 2d72fa179092c0de9c762c19468cf76e1fda5e18b6a06082ab5049cc18a5fe3b
              • Opcode Fuzzy Hash: a2652424e540d70b5e9aba8261d41aaae600195ac17ccc0e4712b5dbbaf56124
              • Instruction Fuzzy Hash: 4931A1715043446FE722CF65CC44FA6BBE8EF06210F08889AE9898B252D331E408CB71
              Function 011DAAF9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 864 11daaf9-11dab77 867 11dab7c-11dab85 864->867 868 11dab79 864->868 869 11dab8a-11dab90 867->869 870 11dab87 867->870 868->867 871 11dab95-11dabac 869->871 872 11dab92 869->872 870->869 874 11dabae-11dabc1 RegQueryValueExW 871->874 875 11dabe3-11dabe8 871->875 872->871 876 11dabea-11dabef 874->876 877 11dabc3-11dabe0 874->877 875->874 876->877
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 011DABB4
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 43b5a68d57e311fa78ef9613af8e593780a8dfc6e6bafa76beec20bb6b7f172a
              • Instruction ID: aacad22498c7b425779f1800534b10bdfb2a405b87647dd62894204657632fac
              • Opcode Fuzzy Hash: 43b5a68d57e311fa78ef9613af8e593780a8dfc6e6bafa76beec20bb6b7f172a
              • Instruction Fuzzy Hash: 3D3191755093846FE722CB65DC44FA2BFF8EF06214F08889AE985CB293D364E549CB71
              Function 052700F6 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 881 52700f6-5270179 885 527017e-5270187 881->885 886 527017b 881->886 887 527018c-5270195 885->887 888 5270189 885->888 886->885 889 5270197-52701bb CreateMutexW 887->889 890 52701e6-52701eb 887->890 888->887 893 52701ed-52701f2 889->893 894 52701bd-52701e3 889->894 890->889 893->894
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 0527019D
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 502b9fbdba0a0c028d9eb4fbce55aa61cf687242f2c1dbff4444354fcb03a6b8
              • Instruction ID: 1c17419d4b0b339be627fcee8b9b74281f442fabf847742eb43c870653905553
              • Opcode Fuzzy Hash: 502b9fbdba0a0c028d9eb4fbce55aa61cf687242f2c1dbff4444354fcb03a6b8
              • Instruction Fuzzy Hash: D73193715093846FE711CB65DD45F96BFF8EF06214F08849AE948CB292D375E908CB62
              Function 05272F93 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
              Download Yara Rule
              APIs
              • setsockopt.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05273039
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: setsockopt
              • String ID:
              • API String ID: 3981526788-0
              • Opcode ID: 5b18a307a47b3db06bfc347e2754fef9e1075b001a951147b352a9d6fc715ec8
              • Instruction ID: 782545ad0d5fd98af7c51b1161971a5754373eff4669f311db4acdc79514be34
              • Opcode Fuzzy Hash: 5b18a307a47b3db06bfc347e2754fef9e1075b001a951147b352a9d6fc715ec8
              • Instruction Fuzzy Hash: 4E317F71509784AFDB22CF25DC54BA6BFB8EF46314F0884DAE9888B163D325A548C772
              Function 05272A9C Relevance: 1.6, APIs: 1, Instructions: 87timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 897 5272a9c-5272b31 902 5272b33-5272b3b GetProcessTimes 897->902 903 5272b7e-5272b83 897->903 904 5272b41-5272b53 902->904 903->902 906 5272b85-5272b8a 904->906 907 5272b55-5272b7b 904->907 906->907
              APIs
              • GetProcessTimes.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05272B39
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: ProcessTimes
              • String ID:
              • API String ID: 1995159646-0
              • Opcode ID: d500db44ec50b50bd0c801d541f80e13be5c928f1c80cea555522a880a460725
              • Instruction ID: 49086c48bfdab0b7cc1f62b508a942b005276da9ddc5ed06e9d68b5bd2d04c66
              • Opcode Fuzzy Hash: d500db44ec50b50bd0c801d541f80e13be5c928f1c80cea555522a880a460725
              • Instruction Fuzzy Hash: 9321F572505784AFD722CF64DC45FA6BFB8EF06320F08849AE985CB152D331A908C7A1
              Function 05273926 Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
              Download Yara Rule
              APIs
              • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 052739D6
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FormatMessage
              • String ID:
              • API String ID: 1306739567-0
              • Opcode ID: e47857e8d62f76ba0057b8e535e343269e2ef9c43d4b65b5d39b38ada70ec714
              • Instruction ID: 56eac8fe7411cd6da3223a6577fa102322f73b4f9eeaf1a312da31569328d229
              • Opcode Fuzzy Hash: e47857e8d62f76ba0057b8e535e343269e2ef9c43d4b65b5d39b38ada70ec714
              • Instruction Fuzzy Hash: 58318E7150D3C45FD3138B618C61B66BFB4EF47610F1A80CBD884CF2A3D624A919C7A2
              Function 052704AB Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 0527055C
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: b37910a56d17e6a77599bc8a5d12d569f431e98f666af68ffa901a64db29b1c0
              • Instruction ID: c4288af20a3e9e6663233b7c817f226634f566c87e7d7c7166f35652260b2579
              • Opcode Fuzzy Hash: b37910a56d17e6a77599bc8a5d12d569f431e98f666af68ffa901a64db29b1c0
              • Instruction Fuzzy Hash: 11318275509784AFD722CB65DC44FA2BFF8AF07214F0884DAE9858B5A2D364E908CB71
              Function 05273776 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule
              APIs
              • getaddrinfo.WS2_32(?,00000E24), ref: 0527381B
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: getaddrinfo
              • String ID:
              • API String ID: 300660673-0
              • Opcode ID: 8eb1e4b764d81f3f90c12400b117019e8bf9ebe7dff5b528003715a75a6fbe2a
              • Instruction ID: f679eaf3d20ed0bf86eef1180125ae58f1c6a52aef42af83950ebd2c7e12f1e8
              • Opcode Fuzzy Hash: 8eb1e4b764d81f3f90c12400b117019e8bf9ebe7dff5b528003715a75a6fbe2a
              • Instruction Fuzzy Hash: CD21D171500204AEEB20DF65CD84FBAF7ACEF04714F04885AFA499B681D7B4E54D8B72
              Function 052713FE Relevance: 1.6, APIs: 1, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(?,?,?,?), ref: 052714A1
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Message
              • String ID:
              • API String ID: 2030045667-0
              • Opcode ID: 17e7fb34247ce75fc9504330053e96fbf42ab9b4aef3c073b4865ce3175158a0
              • Instruction ID: 3b51930d9114528359950af650e6c5b4e606fb896f07c5737244c8e41ac04c31
              • Opcode Fuzzy Hash: 17e7fb34247ce75fc9504330053e96fbf42ab9b4aef3c073b4865ce3175158a0
              • Instruction Fuzzy Hash: 91319E7540D3C05FD7138B25DC55A62BFB8EF17224F0A84CBD884CB6A3D2249919C772
              Function 05270E64 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
              Download Yara Rule
              APIs
              • GetFileType.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05270EF9
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 04a27508f2e7d42fd2cd7e5a60eb53aeade34f52d64540fd15a9089280f8156e
              • Instruction ID: 9a9c191bb59b47a5790d889b645d3d745a86c8c4c23a7fa71c611acf88e80b71
              • Opcode Fuzzy Hash: 04a27508f2e7d42fd2cd7e5a60eb53aeade34f52d64540fd15a9089280f8156e
              • Instruction Fuzzy Hash: A421F8B55097806FD7128B25DC45BA2BFBCEF47724F0980DAE9848B293D264A90DC771
              Function 0527319D Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON
              Download Yara Rule
              APIs
              • WSASend.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05273232
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Send
              • String ID:
              • API String ID: 121738739-0
              • Opcode ID: 2218b46a3b0f26157f259299f4a2a5d6c9c4e1e8a3538ef78c3db3ceec0f496a
              • Instruction ID: 3d40f2e2f368ccaa9b4a29494b2aa98d719d73ccfe8867574dc7ffb4b91c553e
              • Opcode Fuzzy Hash: 2218b46a3b0f26157f259299f4a2a5d6c9c4e1e8a3538ef78c3db3ceec0f496a
              • Instruction Fuzzy Hash: 8F219FB1504344AFEB22CF55DC44FA7BBBCEF46314F08889AE9898B552D335A9088B71
              Function 052702AB Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.KERNELBASE(?,00000E24), ref: 05270353
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Open
              • String ID:
              • API String ID: 71445658-0
              • Opcode ID: 78f9bca87c0e3bb0ce93b99daaef32178347d244d4d040316641f83c16aedf1f
              • Instruction ID: 9ac96a14371373f751b5d040be7b127004aabbc9279699689b015f2d06c0716f
              • Opcode Fuzzy Hash: 78f9bca87c0e3bb0ce93b99daaef32178347d244d4d040316641f83c16aedf1f
              • Instruction Fuzzy Hash: D921D3754093806FE7228F10CC45FA6BFB8EF06310F0880CAE9848B1A2D275A949CB72
              Function 011DAF50 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
              Download Yara Rule
              APIs
              • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 011DAFEA
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 202df3e845bb86261f8a949eaf60906965c73fbafe75436c9621aa157f0ee9cc
              • Instruction ID: 186cf7c20990dd080c8e057737a9c8b5f281d465cd78aeccf6076aeb33192ab0
              • Opcode Fuzzy Hash: 202df3e845bb86261f8a949eaf60906965c73fbafe75436c9621aa157f0ee9cc
              • Instruction Fuzzy Hash: 2221A7715093C06FD3138B259C51B62BFB8EF87610F0A81DBE888DB653D224AD19C7B2
              Function 0527254E Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FileView
              • String ID:
              • API String ID: 3314676101-0
              • Opcode ID: 26d140b99890b4052fbd3ff5fc94ac809a4360c2f6ac35ac695a328c4b906aaf
              • Instruction ID: 0c03ab4c4ec2e0d05e44ef4174a39e954a42fd046f16579e9b468ccf5dc2791e
              • Opcode Fuzzy Hash: 26d140b99890b4052fbd3ff5fc94ac809a4360c2f6ac35ac695a328c4b906aaf
              • Instruction Fuzzy Hash: 4B21B171405384AFE722CF55CC44FA6FBF8EF0A214F08889EE9888B652D375E548CB61
              Function 05273296 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
              Download Yara Rule
              APIs
              • WSARecv.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05273326
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Recv
              • String ID:
              • API String ID: 4192927123-0
              • Opcode ID: 5df967310c8885fe0b1ea973404edafe70dbf5ecc5a7b431779f65205a863b63
              • Instruction ID: 6e82941d8831c66fefafd0399a57142976bd76bab4e41ed79c7987c45a0c6050
              • Opcode Fuzzy Hash: 5df967310c8885fe0b1ea973404edafe70dbf5ecc5a7b431779f65205a863b63
              • Instruction Fuzzy Hash: C2218E72504744AFDB22CF55CC44FA7BBB8EF46214F08889AE989CB552D335A548CBB2
              Function 05271DC2 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
              Download Yara Rule
              APIs
              • WSASocketW.WS2_32(?,?,?,?,?), ref: 05271E4E
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Socket
              • String ID:
              • API String ID: 38366605-0
              • Opcode ID: 568a0efe0038f3ba75a477ed04b280ee09452b016910c3b7cea4f2347465ad63
              • Instruction ID: d000e76375e11fdbf570437ed44789f3882a038dcda3f2c6939ca58be325f019
              • Opcode Fuzzy Hash: 568a0efe0038f3ba75a477ed04b280ee09452b016910c3b7cea4f2347465ad63
              • Instruction Fuzzy Hash: D421B171509384AFD721CF55CC45FA6FFF8EF06210F08889EE9898B652D375A418CB62
              Function 05270D8E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05270E0D
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 393f32b8d5364b5889ccec07a852863e7dee31a4c8e8d53c476a39b79d59f4ce
              • Instruction ID: a8076c15310f77aab13f4307ee8ca25a96ab4a455d998eeb308fcf09c1f925de
              • Opcode Fuzzy Hash: 393f32b8d5364b5889ccec07a852863e7dee31a4c8e8d53c476a39b79d59f4ce
              • Instruction Fuzzy Hash: 15218C71604204AFEB21CF65CD85FA6FBE8EF09624F088869E9498B651D371F518CB72
              Function 052711CC Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileA.KERNELBASE(?,00000E24), ref: 05271263
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: 7e2cd8cf0801df8dd4df20b145a475b464d4e0acba889fcdd1de9768ee2b3604
              • Instruction ID: 27766d610fb3de3a56b4612c0d36b6b11123382c1f381660d40c65eceab3e25e
              • Opcode Fuzzy Hash: 7e2cd8cf0801df8dd4df20b145a475b464d4e0acba889fcdd1de9768ee2b3604
              • Instruction Fuzzy Hash: 5421D3716053806FE721CB25DC45FB6BFB8EF42710F1880DAE9888B692D275A849CB65
              Function 05270F34 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05270FC5
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 054fd8419698ab9378f3f1b5927f05635632099bcbc87cce423e4534e70d56fa
              • Instruction ID: 870bc5db2558325b3d93d87e9c850950c3f1b529159680024c836067864a7509
              • Opcode Fuzzy Hash: 054fd8419698ab9378f3f1b5927f05635632099bcbc87cce423e4534e70d56fa
              • Instruction Fuzzy Hash: 4A21B071509380AFD722CB61CC44FA6BFB8EF06314F08849BE9888B153C335A909CB72
              Function 052710ED Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
              Download Yara Rule
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05271184
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: 716683d0f34b0202b58cd5f07b3d5538d597c745f40c2feaae84677aaf7d25e4
              • Instruction ID: 42db2cc8da9d0ec23ac1db762ed86d260d66a48a24b032c99185078a084afb4a
              • Opcode Fuzzy Hash: 716683d0f34b0202b58cd5f07b3d5538d597c745f40c2feaae84677aaf7d25e4
              • Instruction Fuzzy Hash: 7821C1B2504744AFE721CF15CC44FA3BBF8EF05210F08849AE9498B692D334E918CB71
              Function 052703CA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExA.KERNELBASE(?,00000E24), ref: 0527045E
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 595568fb9f3941132232c26e59be56ed401702b453b4f968a6f6b3926a71e01e
              • Instruction ID: 9664a01e074e92ff288c4fafcaa1c5cdc75b13bf01e2f1c30702d4e9edda22a4
              • Opcode Fuzzy Hash: 595568fb9f3941132232c26e59be56ed401702b453b4f968a6f6b3926a71e01e
              • Instruction Fuzzy Hash: 5D21AC72500204AEEB21CF51DC85FB6F7A8EF04714F04885AFA499A691D7B1E94D8BB2
              Function 011DAA32 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 011DAAB1
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Open
              • String ID:
              • API String ID: 71445658-0
              • Opcode ID: 77aba7aec48e223f4e6ab1b310f43adf32abf96ce5d224e04f8df458cd17bd07
              • Instruction ID: ae7bd2a72cd9e0e901c4ad6654941b42f674903684a266c1c05226842740f128
              • Opcode Fuzzy Hash: 77aba7aec48e223f4e6ab1b310f43adf32abf96ce5d224e04f8df458cd17bd07
              • Instruction Fuzzy Hash: 5F21DE72500204AEE721DF55DD44FABFBECEF08214F08855AEA45CB642E774E94C8AB2
              Function 0527012A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
              Download Yara Rule
              APIs
              • CreateMutexW.KERNELBASE(?,?), ref: 0527019D
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 0f21a82226e04365f2ad4f4d83347bf8974a700ad8caa8b9ae9f16b103f6ad32
              • Instruction ID: 41262ff1c63f0b05c268cf2402b84b2e6d99708c20ff8213e9fa6acf6c8472af
              • Opcode Fuzzy Hash: 0f21a82226e04365f2ad4f4d83347bf8974a700ad8caa8b9ae9f16b103f6ad32
              • Instruction Fuzzy Hash: 38219F71604244AFE720CF65DD49FAAFBE8EF05224F08846AED49CB741D771E908CA76
              Function 0527100F Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
              Download Yara Rule
              APIs
              • CopyFileW.KERNELBASE(?,?,?), ref: 05271092
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CopyFile
              • String ID:
              • API String ID: 1304948518-0
              • Opcode ID: 6e01941525563e6c66208eea490c44121890a1c1d89926d190288064d270c489
              • Instruction ID: d4484b7d8354e084bb32d6c12d6c22ae59ca543a4f2ee198cd47553e99e33bff
              • Opcode Fuzzy Hash: 6e01941525563e6c66208eea490c44121890a1c1d89926d190288064d270c489
              • Instruction Fuzzy Hash: 302171715093C55FDB22CB25DC55BA2BFE8AF06214F0884DAED85CB653D235E814C761
              Function 05270C97 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNELBASE(?,?), ref: 05270D13
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateDirectory
              • String ID:
              • API String ID: 4241100979-0
              • Opcode ID: 2fc4b4eb353cbd47e10d951da4c1505cb8921e3b817027d07dab7a3aef53a3a0
              • Instruction ID: a49f25eeba65b0d8c75388baaa4b02d302ce0fe578137d3eae47ceac673e13ad
              • Opcode Fuzzy Hash: 2fc4b4eb353cbd47e10d951da4c1505cb8921e3b817027d07dab7a3aef53a3a0
              • Instruction Fuzzy Hash: 6C217FB65093859FDB11CB25DC85B52BFF8EF06210F0984EAE949CF162E274E909CB61
              Function 011DAB3A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 011DABB4
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: f2c69bda4948c953923e7aea594a35141948b6ac55b05175c77467d5e936bd58
              • Instruction ID: c65824a7bcc7a2af3a64124219633f8a3a6374f9934738a9ef54ec2d75b63a13
              • Opcode Fuzzy Hash: f2c69bda4948c953923e7aea594a35141948b6ac55b05175c77467d5e936bd58
              • Instruction Fuzzy Hash: 5D218E75600204AFE721CE19DC44FA6FBECEF05610F08885AEA45CB651D374E549CBB2
              Function 05270776 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 052707E0
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: InformationToken
              • String ID:
              • API String ID: 4114910276-0
              • Opcode ID: 864532ec70806a8a43585bd797a7731c342f949f8ed271e84ced75b8c0c147c9
              • Instruction ID: f99628dd6e06660767e08d9a7b6e7788bde27c7d648fa8800a1da0e7099d9105
              • Opcode Fuzzy Hash: 864532ec70806a8a43585bd797a7731c342f949f8ed271e84ced75b8c0c147c9
              • Instruction Fuzzy Hash: 13119071600204AFEB21CF65DD48FA7B7ECEF05324F04846AE949DA651D774E5488BB2
              Function 0527256E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FileView
              • String ID:
              • API String ID: 3314676101-0
              • Opcode ID: 2b2f7c3d91d6acbaa32c554654aa9b4f63a6349bcbe57e36f2a361089de8a1f5
              • Instruction ID: e9f83a4dd33071ee6f6ce2d6c4b9294973dab38548c7a00c9130a237ce65088d
              • Opcode Fuzzy Hash: 2b2f7c3d91d6acbaa32c554654aa9b4f63a6349bcbe57e36f2a361089de8a1f5
              • Instruction Fuzzy Hash: 7121DC71500204AFE721CF55CD85FAAFBE8EF09224F04885AE9498B641D371E548CBB6
              Function 05271871 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • K32EnumProcesses.KERNEL32(?,?,?,E0294504,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 052718E2
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: EnumProcesses
              • String ID:
              • API String ID: 84517404-0
              • Opcode ID: bf49aa741d758715e0c5a1de34a14a665734c99c8d399c9c46d34299395ecdf1
              • Instruction ID: 7d9a0e1c663d25ab28563c3474de8c72dce741269bbacba1dbbf7c0f5479fe5a
              • Opcode Fuzzy Hash: bf49aa741d758715e0c5a1de34a14a665734c99c8d399c9c46d34299395ecdf1
              • Instruction Fuzzy Hash: A02162715093849FD712CF65DC85B96BFF4EF06210F0984EAE989CB163D234A918CB62
              Function 05271DE2 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
              Download Yara Rule
              APIs
              • WSASocketW.WS2_32(?,?,?,?,?), ref: 05271E4E
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Socket
              • String ID:
              • API String ID: 38366605-0
              • Opcode ID: 22ee7fac5b52a0a144cb6ddb8e6a7ce12ecef82befb47ffba80ff16429f53a05
              • Instruction ID: 37a12eea52526737af82698c07f8550f196e13bec35462f3fcc34be45c58cc68
              • Opcode Fuzzy Hash: 22ee7fac5b52a0a144cb6ddb8e6a7ce12ecef82befb47ffba80ff16429f53a05
              • Instruction Fuzzy Hash: 2221CF71504204AFEB21CF55CD45FA6FBE8EF09324F04885AE9498B651D375E418CB62
              Function 052731C2 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
              Download Yara Rule
              APIs
              • WSASend.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05273232
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Send
              • String ID:
              • API String ID: 121738739-0
              • Opcode ID: 2a45b2fa061e3dc422bf4cbc569d7d127a300d1ecc2e774067a79196efab4d99
              • Instruction ID: 2e82bf45022d33495797e61180577947249797dbbdb716e9da851a4ded04bacf
              • Opcode Fuzzy Hash: 2a45b2fa061e3dc422bf4cbc569d7d127a300d1ecc2e774067a79196efab4d99
              • Instruction Fuzzy Hash: 0011CD72500204AFEB21CF55CC44FA6FBE8EF19724F04885AEA498A651D371E9488BB2
              Function 05271112 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
              Download Yara Rule
              APIs
              • RegSetValueExW.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05271184
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Value
              • String ID:
              • API String ID: 3702945584-0
              • Opcode ID: c9f08291a941c8c5d1d8e863d921e42175e4518c1a69521608548a7155cb6b18
              • Instruction ID: 45376ecd177d4f6bf97c4d9dd9170f9213acbc1d589c852875615236dfb0cb15
              • Opcode Fuzzy Hash: c9f08291a941c8c5d1d8e863d921e42175e4518c1a69521608548a7155cb6b18
              • Instruction Fuzzy Hash: C711DD72610204AFEB31CE15CC40FA7FBECEF15620F08845AED4A8A781D370E518CAB2
              Function 052704EA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExW.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 0527055C
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 9163daa858b15fd0bd19bb4c1fc01f28b47d994c69cd8d9a6090bf064dd29481
              • Instruction ID: 64c53f2e4fd164bd287c6aca364a92ef3194aec17a42cadeaad9a1e30d1bba83
              • Opcode Fuzzy Hash: 9163daa858b15fd0bd19bb4c1fc01f28b47d994c69cd8d9a6090bf064dd29481
              • Instruction Fuzzy Hash: 2211AC72610604AFEB20CE15DC84FA6F7E8FF09624F08845AE94A8B651D370E54CCEB6
              Function 05271584 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052715EE
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 4f7f4b3c71aace93776969182646c5ebbd2ad03481ce900086acc900f92321b7
              • Instruction ID: 41f57760f0355a8333cdc97bece937084a2fb0113ad01ab2330935c965073d59
              • Opcode Fuzzy Hash: 4f7f4b3c71aace93776969182646c5ebbd2ad03481ce900086acc900f92321b7
              • Instruction Fuzzy Hash: 6411B4716083849FD721CF25DC85B63BFE8EF06220F0884AAED49CB252D274E818CB61
              Function 05272FD2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • setsockopt.WS2_32(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05273039
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: setsockopt
              • String ID:
              • API String ID: 3981526788-0
              • Opcode ID: ec59d7837f9d4315c6dd78cf47343275b99269304940676aef1fcfe54c0fd945
              • Instruction ID: c81f134c6ac0752260af71f6a11df544cce2521f8886786849d0771e6d5af581
              • Opcode Fuzzy Hash: ec59d7837f9d4315c6dd78cf47343275b99269304940676aef1fcfe54c0fd945
              • Instruction Fuzzy Hash: 0B118E71600204AFEB21CF55DC84FA6FBE8EF15724F08885AE9498B651D375E5488AB2
              Function 05272ADA Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
              Download Yara Rule
              APIs
              • GetProcessTimes.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05272B39
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: ProcessTimes
              • String ID:
              • API String ID: 1995159646-0
              • Opcode ID: a8522ccb55ae040bf0f8fbd43b5f90d395e85a8df50ccae2e27df756817cc804
              • Instruction ID: e5a38ceb06578753dbf0510b667fbb259784a9ba836aa8f3a932a09b2a1f5b30
              • Opcode Fuzzy Hash: a8522ccb55ae040bf0f8fbd43b5f90d395e85a8df50ccae2e27df756817cc804
              • Instruction Fuzzy Hash: 2A11E276600204AFEB21CF55DC85FA7FBE8EF05324F08846AE949CB651D370E5488BB2
              Function 05271356 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • GetSystemInfo.KERNELBASE(?), ref: 052713C0
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: InfoSystem
              • String ID:
              • API String ID: 31276548-0
              • Opcode ID: e6efc4154063a5db1a448b3f9f2f3b55fa642e41b9480ad646354819015641ba
              • Instruction ID: af8d5d1a98c1681800c5ec5c0c81ebbba53ba586a988a53bd680a73417b82744
              • Opcode Fuzzy Hash: e6efc4154063a5db1a448b3f9f2f3b55fa642e41b9480ad646354819015641ba
              • Instruction Fuzzy Hash: CA11AC7180D3C09FDB128B219894A52BFB4EF03224F0980DADC888F153D265A809CB62
              Function 052712A7 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 0527131A
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: KernelObjectSecurity
              • String ID:
              • API String ID: 3015937269-0
              • Opcode ID: b5473abf1fadc3345a30ebecd0216dcdb935d6a1e1cc8ba4b714119c5c7660f1
              • Instruction ID: 05ea0092c2ddbaffb4fc287752fcfbf6b147b4db99d28fd6d7751deb9a11c364
              • Opcode Fuzzy Hash: b5473abf1fadc3345a30ebecd0216dcdb935d6a1e1cc8ba4b714119c5c7660f1
              • Instruction Fuzzy Hash: F821CD755093809FDB22CB24CC85B62BFB4EF06214F0980DBED848B5A3D275A818CB62
              Function 011DAC23 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
              Download Yara Rule
              APIs
              • EnumThreadWindows.USER32(?,00000E24,?,?), ref: 011DACA6
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: EnumThreadWindows
              • String ID:
              • API String ID: 2941952884-0
              • Opcode ID: 76af35abf5f92447f0e959b7eb35075ce5f7c13193b1dee97ec1a0126fb98de7
              • Instruction ID: bbce4fddc70c70c6c733682256def2f5593d4e931339dd52ee443e6a3e07e309
              • Opcode Fuzzy Hash: 76af35abf5f92447f0e959b7eb35075ce5f7c13193b1dee97ec1a0126fb98de7
              • Instruction Fuzzy Hash: BE11E9715047806FD3118F15DC41F73BFB8FF86610F09819AEC4887A42D224B919CBA2
              Function 011DA51F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DA58A
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: ec3de47946f422909a50cc0d8ece7012d0c550ea5eabd457675a35f957ce70d8
              • Instruction ID: 89686621c62babd92781e1b0739b88e6294ee559ac8e20c8c14b2790125789b4
              • Opcode Fuzzy Hash: ec3de47946f422909a50cc0d8ece7012d0c550ea5eabd457675a35f957ce70d8
              • Instruction Fuzzy Hash: 90117F71409780AFDB228F55DC44B62FFF4EF4A320F08889AED858B562D375A418DB62
              Function 011DB7CA Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,?,?,?), ref: 011DB841
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 4ab61863e3838c8a4733e3f10cbe2b76858edbb079b91226b04f617e4e4060aa
              • Instruction ID: c486b201d7b1b58d41203d3edbc949a6ebbe0ed9f66e690f4362435fa8602ee6
              • Opcode Fuzzy Hash: 4ab61863e3838c8a4733e3f10cbe2b76858edbb079b91226b04f617e4e4060aa
              • Instruction Fuzzy Hash: 3421CD714097C09FDB238B21DC51AA2BFB0EF0B220F0D84CAEDC54F163D265A918DB62
              Function 05270F66 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05270FC5
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 5234c0a1e4af68ebc87a676cb8d243d570de1c2f1f0c320beda03aa0e197f027
              • Instruction ID: f07cfb3b86b049e619c6424003cdff2363a31390cb2ec7ef619fcd0bb6682e63
              • Opcode Fuzzy Hash: 5234c0a1e4af68ebc87a676cb8d243d570de1c2f1f0c320beda03aa0e197f027
              • Instruction Fuzzy Hash: 5511EF72500204AFEB21CF55CC44FA6FBE8EF05324F08845AED498A641D371E548CBB2
              Function 052711FA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileA.KERNELBASE(?,00000E24), ref: 05271263
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: f6cb865840eb1aea73a8ef903fe96429c78f27d128a39fd7d8750907cb00e020
              • Instruction ID: 9be5e9a9041584eee8b9ba5cf2df15d52ee2fbb2fae99806060bf9cff2b97b0f
              • Opcode Fuzzy Hash: f6cb865840eb1aea73a8ef903fe96429c78f27d128a39fd7d8750907cb00e020
              • Instruction Fuzzy Hash: FA110271610204AFFB20CB15DD85FB6F7A8DF05720F14809AEE09CA781D3B4E958CAA6
              Function 052702DE Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.KERNELBASE(?,00000E24), ref: 05270353
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Open
              • String ID:
              • API String ID: 71445658-0
              • Opcode ID: a55028c456ed87ea616e13383d1b9357b0ebc20ad2c783821c9e51449f6f863b
              • Instruction ID: 6e515c8368e1c928637f61d75dd568e27798c8c5558c2e76b3df37b399a93ee6
              • Opcode Fuzzy Hash: a55028c456ed87ea616e13383d1b9357b0ebc20ad2c783821c9e51449f6f863b
              • Instruction Fuzzy Hash: 1411EF31500204AFEB21CF11CC45FB6FBA8EF05714F04804AEE494A691C3B1A54CCEB6
              Function 011DBB4F Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 011DBBB9
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: b708f60d68af7ee734449c2b891353ef0253c85754fc6998b1475131c7dd3316
              • Instruction ID: 11fcd786c2c9b30c44c17a58f7da7c4ac62df46c641f25898830c5a2ae397aa2
              • Opcode Fuzzy Hash: b708f60d68af7ee734449c2b891353ef0253c85754fc6998b1475131c7dd3316
              • Instruction Fuzzy Hash: 4411BE755097C0AFDB228F25CC45B52FFB4EF07220F0884DEED858B563D265A818DB62
              Function 011DBE05 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
              Download Yara Rule
              APIs
              • DispatchMessageW.USER32(?), ref: 011DBE70
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DispatchMessage
              • String ID:
              • API String ID: 2061451462-0
              • Opcode ID: 8eacc071d861dd05847c0ea25160930ef362268730394856282bbb5a522ff317
              • Instruction ID: 492b7fee926303ccc7585a5b486980b59806508e9669a5ffe1ac72fb143ef2c9
              • Opcode Fuzzy Hash: 8eacc071d861dd05847c0ea25160930ef362268730394856282bbb5a522ff317
              • Instruction Fuzzy Hash: CC115E7580D3C0AFDB138B25DC44B62BFB4EF47624F0984DAED858F263D2656908CB62
              Function 011DB71E Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
              Download Yara Rule
              APIs
              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 011DB78A
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateFromIconResource
              • String ID:
              • API String ID: 3668623891-0
              • Opcode ID: a447005e50bb388433f2b42ec391fc0257ae10a4ada261d3cbed6d7ff39fa10f
              • Instruction ID: fc4ebefa4a91563efee68264d985ea57a01587ebc2360aa6cdeb26b1c5ceb77a
              • Opcode Fuzzy Hash: a447005e50bb388433f2b42ec391fc0257ae10a4ada261d3cbed6d7ff39fa10f
              • Instruction Fuzzy Hash: 9A1160755087809FCB228F55DC44B52FFF4EF4A320F09889EE9858B562D375A418DB61
              Function 011DBEB4 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileW.KERNELBASE(?), ref: 011DBF0C
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: 7bd034efd33bfdadd25fc7c2c33aac232f5deca81695ba514536983a34ed6448
              • Instruction ID: fb7e36084c739e895496089a025701da45009fded3cba42046f47a995f370ab3
              • Opcode Fuzzy Hash: 7bd034efd33bfdadd25fc7c2c33aac232f5deca81695ba514536983a34ed6448
              • Instruction Fuzzy Hash: D61191716093809FDB11CF29DC85B56BFE8EF46220F0984EAED45CB252D375E808CB62
              Function 011DA75B Relevance: 1.6, APIs: 1, Instructions: 54COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: closesocket
              • String ID:
              • API String ID: 2781271927-0
              • Opcode ID: 5876ce653f0d951dcab4d6b1551fe03ac4018c4617b00b0328879400aef882e3
              • Instruction ID: 5c4b70fdae04e4dbec194d256e13708aac72c684158eaa4fe6a69fd1188c3628
              • Opcode Fuzzy Hash: 5876ce653f0d951dcab4d6b1551fe03ac4018c4617b00b0328879400aef882e3
              • Instruction Fuzzy Hash: 50119D715493809FDB12CF14DC84B52BFB4EF06224F0884DAED858B293D275A908CB62
              Function 0527104A Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
              Download Yara Rule
              APIs
              • CopyFileW.KERNELBASE(?,?,?), ref: 05271092
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CopyFile
              • String ID:
              • API String ID: 1304948518-0
              • Opcode ID: c7aadf300248f6979482b090f841a72c2881478bb6988e6737da3d0c6865d18b
              • Instruction ID: dcf0f3274bd11d2b5698da9cc6cafd8a55a788e62daf9ec1ffa4a5b3270096be
              • Opcode Fuzzy Hash: c7aadf300248f6979482b090f841a72c2881478bb6988e6737da3d0c6865d18b
              • Instruction Fuzzy Hash: 8811A176A142859FDB20CF25D885BA6FFE8EF15220F08C4AADD4ACB741D371E414CB62
              Function 052715A6 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052715EE
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: c7aadf300248f6979482b090f841a72c2881478bb6988e6737da3d0c6865d18b
              • Instruction ID: aa4aad27db0c2ba99e6074ab5b5479c420cae3592c1cf8cb241ea1950fc8a87e
              • Opcode Fuzzy Hash: c7aadf300248f6979482b090f841a72c2881478bb6988e6737da3d0c6865d18b
              • Instruction Fuzzy Hash: DE11C871A142458FDB10CF26D885B66FBE8EF15620F08C46ADD4ACB741D774E414CB72
              Function 05270EA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetFileType.KERNELBASE(?,00000E24,E0294504,00000000,00000000,00000000,00000000), ref: 05270EF9
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 539341442bcd39119252fb88e5b9e59244f4570d40a08b386566957953501c1e
              • Instruction ID: fece84e969bf8b1bac8578f5ec36179eec9fad442aa5993877c0c0e3553a9b6a
              • Opcode Fuzzy Hash: 539341442bcd39119252fb88e5b9e59244f4570d40a08b386566957953501c1e
              • Instruction Fuzzy Hash: 6201C471510204AFE720CB15DD45FA6B7A8DF19624F088056ED088B681D774E54C8AB6
              Function 05270CCE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNELBASE(?,?), ref: 05270D13
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateDirectory
              • String ID:
              • API String ID: 4241100979-0
              • Opcode ID: 3a30d86cb105cfb5fef580413a6d60af0e59a627c9dcc42f10ed904846681fb1
              • Instruction ID: e537e9c71ed3521e1225612b4fcd4214fb93d7069ccfee7ac97f0a252e1041c1
              • Opcode Fuzzy Hash: 3a30d86cb105cfb5fef580413a6d60af0e59a627c9dcc42f10ed904846681fb1
              • Instruction Fuzzy Hash: 20118E756142458FDB50CF25D889B66BBE8EF05220F08C4AADD09CB242E274E508CF62
              Function 011DA34E Relevance: 1.6, APIs: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(?), ref: 011DA3A4
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 4aff5029f66e1c2a966cee187f17c8eeff66e45fd67c4a5067ebab76a18e7c81
              • Instruction ID: d41585fdde23b91926b897f7c4404bc8464ec586e0e0333959f20caf8499f3e4
              • Opcode Fuzzy Hash: 4aff5029f66e1c2a966cee187f17c8eeff66e45fd67c4a5067ebab76a18e7c81
              • Instruction Fuzzy Hash: 3A118E714093C0AFDB228B15DC84B62BFB4DF47224F0880CAED854B263D265A808CB62
              Function 052718A2 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • K32EnumProcesses.KERNEL32(?,?,?,E0294504,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 052718E2
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: EnumProcesses
              • String ID:
              • API String ID: 84517404-0
              • Opcode ID: da8081059a923101bdc90285b0c18638f9d2852f787f9579c09c07b0860f2205
              • Instruction ID: 4c4ac381bcee6794c9fd55d9e94e0d9e84404c2046031a4a1c64316263c94d29
              • Opcode Fuzzy Hash: da8081059a923101bdc90285b0c18638f9d2852f787f9579c09c07b0860f2205
              • Instruction Fuzzy Hash: 5211AD756103048FEB20CF26D884BA6FBE8EF09220F0884AADD498B651D371E458CF62
              Function 011DA8CC Relevance: 1.5, APIs: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,?,?), ref: 011DA926
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 01a5daeb28723a9a17382f272c4361823d26b059945f49a2fb954d2188331286
              • Instruction ID: db2534df46cd3dee54ceddddf39d7435e2799bad6fe9a185ea2407a75ab1d196
              • Opcode Fuzzy Hash: 01a5daeb28723a9a17382f272c4361823d26b059945f49a2fb954d2188331286
              • Instruction Fuzzy Hash: 77117C754097849FC7228F55DC85B52FFF4EF46220F09849AED854B262D275A818CB62
              Function 011DBED2 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileW.KERNELBASE(?), ref: 011DBF0C
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: eb71ac206bfa9472721a1a23d7bfc345eff38781b742ab04c718e71ac1ba7bbe
              • Instruction ID: ada8b633e8ba7700ccefe182cfb4fc7cf32ba1d293b4b1d8262212889a4e5631
              • Opcode Fuzzy Hash: eb71ac206bfa9472721a1a23d7bfc345eff38781b742ab04c718e71ac1ba7bbe
              • Instruction Fuzzy Hash: 6C019E71A042409FDB64CF29D885766BBE8DF06220F0884AADD0ACB642D775E408CE67
              Function 05273986 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • FormatMessageW.KERNELBASE(?,00000E24,?,?), ref: 052739D6
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: FormatMessage
              • String ID:
              • API String ID: 1306739567-0
              • Opcode ID: ee7de18db84e875fb971d4a7f430e188421a6c327db8c5b2da404ff8f139c640
              • Instruction ID: b508752b74dfe63aa7c727c5332aa0074f5d8898bc20a016df56bb191f010754
              • Opcode Fuzzy Hash: ee7de18db84e875fb971d4a7f430e188421a6c327db8c5b2da404ff8f139c640
              • Instruction Fuzzy Hash: 03019E71A00200ABD210DF16CD45B66FBE8FB89A20F14811AEC089B741D731B915CBE5
              Function 05271456 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(?,?,?,?), ref: 052714A1
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Message
              • String ID:
              • API String ID: 2030045667-0
              • Opcode ID: 8494c3e2289db85a38b8e578e446c285015a7f567637a036d0538fca29b02464
              • Instruction ID: 584cb734b6d87b7b4fa36af0b52175fa2bedfce0d8b5c3599fb2dd5c1c5fffb1
              • Opcode Fuzzy Hash: 8494c3e2289db85a38b8e578e446c285015a7f567637a036d0538fca29b02464
              • Instruction Fuzzy Hash: 1E01DE75A102449FDB20CF15D885F62FBE8FF15224F08C09ADC098B352D374E828CAB2
              Function 011DA546 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DA58A
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: d12be9bb8f6cc7e6d3fbc7e14cf843216c92585b5531772cc41f772f23f47db5
              • Instruction ID: f0e9c623dba7abfb39649e7903ca1227d3b510a4e87de6f7b207356b931b4be7
              • Opcode Fuzzy Hash: d12be9bb8f6cc7e6d3fbc7e14cf843216c92585b5531772cc41f772f23f47db5
              • Instruction Fuzzy Hash: C6016D329006409FDB21CF55D844B66FBE4EF09720F08C99ADE494B652D376E418DF62
              Function 011DB746 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
              Download Yara Rule
              APIs
              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 011DB78A
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CreateFromIconResource
              • String ID:
              • API String ID: 3668623891-0
              • Opcode ID: e77a096228737713975adde0bfad3b90aa618c89e9f4b7ff361ccc8e44a5fcf3
              • Instruction ID: 75459593813919d9a16bdd140afae52ff941c3a24215c41b77d2ca74f2b0b75c
              • Opcode Fuzzy Hash: e77a096228737713975adde0bfad3b90aa618c89e9f4b7ff361ccc8e44a5fcf3
              • Instruction Fuzzy Hash: 4201AD325046009FDB218F95D844B66FBE0EF0A720F09889EDE4A4A662D376E418DF66
              Function 052712DA Relevance: 1.5, APIs: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              • SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 0527131A
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: KernelObjectSecurity
              • String ID:
              • API String ID: 3015937269-0
              • Opcode ID: 268425ea60cb76bb16f55216a73519086072ccea57eff5e85873f3bb33daf800
              • Instruction ID: 05b4db714324f0b21b34f3f2c85a1c79a6722f85db2203dcbbb2525e2f61844b
              • Opcode Fuzzy Hash: 268425ea60cb76bb16f55216a73519086072ccea57eff5e85873f3bb33daf800
              • Instruction Fuzzy Hash: F601D475A106458FEB24CF15D885B76FBE8EF15220F08C0AADD498BB51D375E828CF62
              Function 011DAC56 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
              Download Yara Rule
              APIs
              • EnumThreadWindows.USER32(?,00000E24,?,?), ref: 011DACA6
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: EnumThreadWindows
              • String ID:
              • API String ID: 2941952884-0
              • Opcode ID: a618efc3762b67cdfe80acbcfcd9a39d23b3282f83d232dec1cff525a7c476db
              • Instruction ID: a448c9700cc3e456dc376d31543647279e19d0e4df5568ccf9a84cda1e59bb8c
              • Opcode Fuzzy Hash: a618efc3762b67cdfe80acbcfcd9a39d23b3282f83d232dec1cff525a7c476db
              • Instruction Fuzzy Hash: B801A271900200ABD210DF16CD46B76FBE8FB89A20F14811AEC089BB41D731F959CBE5
              Function 011DAF9A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 011DAFEA
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 661b8d1561ba1f49e744431af8adec688765d6d1d4efcc8750ef0b63a5b57a01
              • Instruction ID: 5b34e16fcca73cafb8550ec4c2dbe20d5c8808b6e507a24601f0c8f47a3867da
              • Opcode Fuzzy Hash: 661b8d1561ba1f49e744431af8adec688765d6d1d4efcc8750ef0b63a5b57a01
              • Instruction Fuzzy Hash: BF01A271900200ABD210DF16CD46B76FBE8FB89A20F148159EC089BB41D731F955CBE5
              Function 05271D46 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON
              Download Yara Rule
              APIs
              • DnsQuery_A.DNSAPI(?,00000E24,?,?), ref: 05271D96
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: Query_
              • String ID:
              • API String ID: 428220571-0
              • Opcode ID: f55bb4ff43ccee9793c11d57d188c01ae34cf4514455bd598d17900db7ffc015
              • Instruction ID: 0a249edefbead719cd33c53a7826b15a6c47857ecfdcedfa476fb1a9844e37a2
              • Opcode Fuzzy Hash: f55bb4ff43ccee9793c11d57d188c01ae34cf4514455bd598d17900db7ffc015
              • Instruction Fuzzy Hash: 0D01A271900200ABD210DF16CD46B76FBE8FB89A20F14811AEC089BB41D771F955CBE5
              Function 011DBB7E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,?,?,?), ref: 011DBBB9
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 11549adbfbb5695ef0e7ab6d99c19d13aa5a102d83473059200327a44c6c3566
              • Instruction ID: a25d5cb89381dd688b3e0f6e1bbe423512e5690f2909ca7bf4a3f38cb9936265
              • Opcode Fuzzy Hash: 11549adbfbb5695ef0e7ab6d99c19d13aa5a102d83473059200327a44c6c3566
              • Instruction Fuzzy Hash: AA01D4355046409FDB358F15D845B66FBE4EF16220F08C09EDD464B666D371E418CF66
              Function 011DA78A Relevance: 1.5, APIs: 1, Instructions: 39COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: closesocket
              • String ID:
              • API String ID: 2781271927-0
              • Opcode ID: 048e64bbb36aebfce3c7d38433e3308ef1efaf7526964f44f1b22188589d7b8d
              • Instruction ID: 92d3726d2ad02dfb0c9aec20b10ac111be8747fe062842f7974dd8829bb7a76f
              • Opcode Fuzzy Hash: 048e64bbb36aebfce3c7d38433e3308ef1efaf7526964f44f1b22188589d7b8d
              • Instruction Fuzzy Hash: 2101AD759046409FDB10CF19E884762FBE4EF05224F08C4AADE0A8F642D37AE508CAA2
              Function 011DB806 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,?,?,?), ref: 011DB841
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 62a8634242daafa2df0c64b094caccaeb07e56e3c06ab69f01b5658a8612a058
              • Instruction ID: 5c1626034fb48de6ffd76f4204c8fefe89e50b15f5c86021041e3849b0718e8f
              • Opcode Fuzzy Hash: 62a8634242daafa2df0c64b094caccaeb07e56e3c06ab69f01b5658a8612a058
              • Instruction Fuzzy Hash: 89018B359046409FDB218F06D885B66FBE0EF1A620F09C09ADE4A4B662D375E518CFA6
              Function 011DA8EE Relevance: 1.5, APIs: 1, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,?,?), ref: 011DA926
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 35df6ad55223e355ac39f4c5df2b53e0ee5ef3e21c315ccea13480378b776f0f
              • Instruction ID: c987e1b40a2d4bda605a4f72bcb477846a6805cafb11e15aa14f30fa6706ad1c
              • Opcode Fuzzy Hash: 35df6ad55223e355ac39f4c5df2b53e0ee5ef3e21c315ccea13480378b776f0f
              • Instruction Fuzzy Hash: 0D01AD399006409FDB24CF05E885B62FBE4EF1A620F08C09ADE4A0B652D375E818CE63
              Function 011DBE3E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
              Download Yara Rule
              APIs
              • DispatchMessageW.USER32(?), ref: 011DBE70
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: DispatchMessage
              • String ID:
              • API String ID: 2061451462-0
              • Opcode ID: 219a0ee76c242fa1cf28c873f34788341a5d0fad8e5c8c1a52ea911969f9c1d7
              • Instruction ID: 2da8e3c1efa4461cc9f9c2612a41175259ffc717bf98f80139f80f3783f69b63
              • Opcode Fuzzy Hash: 219a0ee76c242fa1cf28c873f34788341a5d0fad8e5c8c1a52ea911969f9c1d7
              • Instruction Fuzzy Hash: 35F0AF359086409FDB208F06D885B61FBE4EF16624F09C49ADE0A4B752D375E508CEA7
              Function 011DA372 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(?), ref: 011DA3A4
              Memory Dump Source
              • Source File: 00000000.00000002.3006539353.00000000011DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DA000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11da000_UOp1kufsuw.jbxd
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 219a0ee76c242fa1cf28c873f34788341a5d0fad8e5c8c1a52ea911969f9c1d7
              • Instruction ID: 5ab17eb7e7c71d6bf369f39b2659eec61cab1963292be358713b93d8e65feb2f
              • Opcode Fuzzy Hash: 219a0ee76c242fa1cf28c873f34788341a5d0fad8e5c8c1a52ea911969f9c1d7
              • Instruction Fuzzy Hash: A0F0AF35904240AFDB24CF06E885B65FBE4EF15624F08C09ADD494B752D7B9E548CFA3
              Function 050B20D0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: r*+
              • API String ID: 0-3221063712
              • Opcode ID: 49a48f7560f539dc462569afd06a1505d402014dd55d10a0ad81548abfff80f9
              • Instruction ID: 3aa20a0f40c57a11aacd7ae468f7a787d2cb676756b5c69bde6005c2114877c8
              • Opcode Fuzzy Hash: 49a48f7560f539dc462569afd06a1505d402014dd55d10a0ad81548abfff80f9
              • Instruction Fuzzy Hash: FB716A34A0820ADFEF44DBA4D5856FEBBF2BF85304F10846AC512EB665D7B09D41CB52
              Function 05F43E58 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: \Ol
              • API String ID: 0-1319056321
              • Opcode ID: ec31dfa2b712579c12c3a912e0e02b62de7ec774a6a26829bec31b90d837afea
              • Instruction ID: 72465675d6ea72c2f5d2ff6cf82efee7bc5893c44064e8200a652e438d28f7dd
              • Opcode Fuzzy Hash: ec31dfa2b712579c12c3a912e0e02b62de7ec774a6a26829bec31b90d837afea
              • Instruction Fuzzy Hash: 1851B431A0024ADFDB18DFE5D0546AEBFF6BF84314F148929D4169B389DB389889CF81
              Function 050B0682 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: -Z}k^
              • API String ID: 0-2225727145
              • Opcode ID: d5b03054daaf2f7aac50bbd8fed4e2493488262ff3e95cf96d62edcd5b278d91
              • Instruction ID: e29d06ef64e4f7d86572f77bbab717e87c6872310e9641fee1020686264546c7
              • Opcode Fuzzy Hash: d5b03054daaf2f7aac50bbd8fed4e2493488262ff3e95cf96d62edcd5b278d91
              • Instruction Fuzzy Hash: 1B4172307042458BE71C7BF4F96D6AE7BE2AF812097144479E412CF6A8DF708C858BD2
              Function 050B90A0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: r*+
              • API String ID: 0-3221063712
              • Opcode ID: 850f1766fa37c8d4dfbbd0b94bb3f64f18267942f742cd88c13cb221eeeef3c5
              • Instruction ID: a707bfec1692b1dcbd7fde456a2d1b7e044ec36ffe1ed86ff4c9eb077c9f91ba
              • Opcode Fuzzy Hash: 850f1766fa37c8d4dfbbd0b94bb3f64f18267942f742cd88c13cb221eeeef3c5
              • Instruction Fuzzy Hash: 47411830E04209DFEF44DBA5D4896EEBBF2FF85304F14886AD616A7260DBB49940DF52
              Function 050B46A8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: L.l
              • API String ID: 0-1469302089
              • Opcode ID: 7a47cde358ee99fa06545db92375ef42f559cbfdd975e95e86178a6c41110e8e
              • Instruction ID: 29401de8d999739f40e4c49a6ea7c9d91faf8f79608ed1f6ca660e196ff713d0
              • Opcode Fuzzy Hash: 7a47cde358ee99fa06545db92375ef42f559cbfdd975e95e86178a6c41110e8e
              • Instruction Fuzzy Hash: D2218F75B4011A9BEF44DAA9ED81BFFB3FBEB89204F108029D619D7241E7705A05C7A1
              Function 050BF540 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: L.l
              • API String ID: 0-1469302089
              • Opcode ID: a9fe455908ac469662589c83c2a5e9a8c39a1152278820c5f412e6eb47d2a5df
              • Instruction ID: 1f352f17b699ec9c68bd1a063a4280f65f0ad9b69c39017eb06c51307b5e5778
              • Opcode Fuzzy Hash: a9fe455908ac469662589c83c2a5e9a8c39a1152278820c5f412e6eb47d2a5df
              • Instruction Fuzzy Hash: A4217630B002169BDB54EF74ECC55DEB7F3EB88344F108929D502AB650EB70ED048BA1
              Function 050B9248 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: L.l
              • API String ID: 0-1469302089
              • Opcode ID: b8ef1e3acbd0867c8293c0bf532c00e0ac43ac6c6c30a2ee18e3b9aafe49c25c
              • Instruction ID: 8a8cd2a912da9331405d979053ef304b62d259d385817647ddc0b45478330681
              • Opcode Fuzzy Hash: b8ef1e3acbd0867c8293c0bf532c00e0ac43ac6c6c30a2ee18e3b9aafe49c25c
              • Instruction Fuzzy Hash: 25213231F04616DBDF68DFB4E885AEEB7F2BF88644F104929D102AB694DB70A904C791
              Function 050B95AE Relevance: 1.3, Strings: 1, Instructions: 75COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: f`k
              • API String ID: 0-1028176591
              • Opcode ID: df9bad9a0c2a884ca82fd694156ecc7acdd37bc71a1242b89a8763bdd4f8cab0
              • Instruction ID: 2dae488d687e08fd9b24fd5e245f22d8fdadae1537abc925615c4736f36b5950
              • Opcode Fuzzy Hash: df9bad9a0c2a884ca82fd694156ecc7acdd37bc71a1242b89a8763bdd4f8cab0
              • Instruction Fuzzy Hash: 4D317A70A20609CFEB50CF61D58579DFBE2BF85304F15A929D016AB258CFB4A489CF82
              Function 050B25DE Relevance: 1.3, Strings: 1, Instructions: 75COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: f`k
              • API String ID: 0-1028176591
              • Opcode ID: ddb87a4699bb22d375a4c33de06cd54a25ebfe84e8048fd98ec4cf3d76098ad1
              • Instruction ID: 1936bc919764a978ec248b7aae04ac1726d19034e6d0419935b47c772a8c20b1
              • Opcode Fuzzy Hash: ddb87a4699bb22d375a4c33de06cd54a25ebfe84e8048fd98ec4cf3d76098ad1
              • Instruction Fuzzy Hash: E5318E74A1020ACFE764DFA1D58869DB7F2BF85318F11C569C025AF268CBB49485CB42
              Function 050BBCFE Relevance: 1.3, Strings: 1, Instructions: 75COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: f`k
              • API String ID: 0-1028176591
              • Opcode ID: 0aff130114f89e293a57ccb06b8808bf319ac1946e795afa2ed1455956ec08bb
              • Instruction ID: 19084063bf4064cfcf8173443b001c62b821d9f477d01670765e0e039414f9e5
              • Opcode Fuzzy Hash: 0aff130114f89e293a57ccb06b8808bf319ac1946e795afa2ed1455956ec08bb
              • Instruction Fuzzy Hash: 9A317A71E0060ACFEB50DFA5D48569DBBE2BF85308F04C62ED0159B254DBB89849CF42
              Function 050B9239 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: L.l
              • API String ID: 0-1469302089
              • Opcode ID: 224a721b23360037d710dcc199e28319285148787fb6a9a60c94ea1ead91695f
              • Instruction ID: d0ac3ac186edcdf9fab246b1cf16e732e6c967ccbd4df17e18812672cad7019d
              • Opcode Fuzzy Hash: 224a721b23360037d710dcc199e28319285148787fb6a9a60c94ea1ead91695f
              • Instruction Fuzzy Hash: 0011B731F041159BEF54DFA0E8C1BEEB7E2AB88644F004929D20297690DB70A9008791
              Function 050BF530 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: L.l
              • API String ID: 0-1469302089
              • Opcode ID: 15710f9f06e2aaefb8180f5fb8902e9d46bfe8215166b1410354ef498a19092e
              • Instruction ID: adbf26eb313ac954f0411d3418d76610d0653fba294558adf4dfa457fbe663f8
              • Opcode Fuzzy Hash: 15710f9f06e2aaefb8180f5fb8902e9d46bfe8215166b1410354ef498a19092e
              • Instruction Fuzzy Hash: FB11A530B142169BDB54EE24ACC57EEB7E3AB88750F104529D602EB380EBB0D90487A0
              Function 052717BC Relevance: 1.3, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(?), ref: 05271828
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: bf1453ab9a41d543e3b6c84a31981cd5f772a1857155ff452fe335f4159ef46f
              • Instruction ID: 50c1dd56f6398406c5f23aa0d5f5070ba259e258a41aff750b672801076d3f86
              • Opcode Fuzzy Hash: bf1453ab9a41d543e3b6c84a31981cd5f772a1857155ff452fe335f4159ef46f
              • Instruction Fuzzy Hash: 3F21C3715093C05FDB12CB25DC94B92BFB4AF07724F0984DAEC858F663D274A918CB62
              Function 052701F4 Relevance: 1.3, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(?), ref: 05270264
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: d5a6d00726c1f63e868c670abc0efb689b14db30528d91f8296dfd8bfa509829
              • Instruction ID: 6a3fd464507d7bde58224bb0a092ae21ddf81fa01de793ce64e1fdcf2bbc026d
              • Opcode Fuzzy Hash: d5a6d00726c1f63e868c670abc0efb689b14db30528d91f8296dfd8bfa509829
              • Instruction Fuzzy Hash: C621E7B55083805FD711CF25DC85B92BFB4FF42324F0984EADD858B653D235A909DB62
              Function 050B9010 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: ,)l
              • API String ID: 0-1778001103
              • Opcode ID: 269419420dc6c9a4551c443a9006684cb1677926930d652e3cc6a9a512711d56
              • Instruction ID: 01605670ae497a9f83e346e01874bc2b23a1e92aaf7624849312cb01385f1d20
              • Opcode Fuzzy Hash: 269419420dc6c9a4551c443a9006684cb1677926930d652e3cc6a9a512711d56
              • Instruction Fuzzy Hash: 30F046213041019BD71866BDAC95BEE328B9BD2274B584728F22ACF7D0CE65CC094363
              Function 050BD281 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: ,)l
              • API String ID: 0-1778001103
              • Opcode ID: 1b09fd6d090a397952a71a96548b5321e63e68caeb99fe5011f11b8bf1265712
              • Instruction ID: b55ef21f78ed252e53019823be74d78520aa065e9add6b7d326e452b06613394
              • Opcode Fuzzy Hash: 1b09fd6d090a397952a71a96548b5321e63e68caeb99fe5011f11b8bf1265712
              • Instruction Fuzzy Hash: 31F0F62330414193DF086679AC917EDF29B9BE6174BA88339D129DF7D4DE50CD064367
              Function 050B8962 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: ,)l
              • API String ID: 0-1778001103
              • Opcode ID: 68519a9ad7c912676d1a4872a72c2bae862a3ff30cafc64ef0595116f92ccd4d
              • Instruction ID: bbb2e7bb359446c1de857c66f0ebad2e3b1c70c1e26fffc60e2c5dfbfaf40d1d
              • Opcode Fuzzy Hash: 68519a9ad7c912676d1a4872a72c2bae862a3ff30cafc64ef0595116f92ccd4d
              • Instruction Fuzzy Hash: 8FF0C222304101978B08A6B968946EE738BAF961247588729D1299F7E1CE618C0642A7
              Function 050B47F0 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: \Ol
              • API String ID: 0-1319056321
              • Opcode ID: 337b5af0c1fe9bc20bf20d613a6d794060ee230a27296408e426ed6497cd7125
              • Instruction ID: 469784ed806b8aec9394b6e17147dc8b033c77329a78d399fdcafbc1020efcf5
              • Opcode Fuzzy Hash: 337b5af0c1fe9bc20bf20d613a6d794060ee230a27296408e426ed6497cd7125
              • Instruction Fuzzy Hash: B3F05936B003609BDE2962B970603FD32CB8BC9A69F44003ED10AD7782CEB6CC4253A1
              Function 05270232 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(?), ref: 05270264
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: 0c42276bc8dac5edd87851114f535fd658c6aa97bc1f7f57311587de9283fd7a
              • Instruction ID: 30f8eebf371eeffc9ac201b5995020b2bf931adc07561185edc92cb7dcb9e706
              • Opcode Fuzzy Hash: 0c42276bc8dac5edd87851114f535fd658c6aa97bc1f7f57311587de9283fd7a
              • Instruction Fuzzy Hash: D701F276A102449FEB50CF25D889B66FBE4EF46324F08C4AADD098F742D375E408CE62
              Function 052717F6 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(?), ref: 05271828
              Memory Dump Source
              • Source File: 00000000.00000002.3009845654.0000000005270000.00000040.00000800.00020000.00000000.sdmp, Offset: 05270000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5270000_UOp1kufsuw.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: 0ba16e62191efd60f1b0fa8ebfe213c7143931bf3808413e74df967f466e8012
              • Instruction ID: b705ff50b81cf1702a8495bd64f7a8bb04e82ae6dc383e725e3591e9bc819717
              • Opcode Fuzzy Hash: 0ba16e62191efd60f1b0fa8ebfe213c7143931bf3808413e74df967f466e8012
              • Instruction Fuzzy Hash: CC01F771A142448FEB10CF15D885BA2FBE4EF15620F08C0AADD098F742D375E418CFA2
              Function 050B7722 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: ,)l
              • API String ID: 0-1778001103
              • Opcode ID: 31574fd9a8c9b0549243c9eff2e3c31631cb87dfec37e19aa4991735c787d8c3
              • Instruction ID: fea0333912ef5623f9599b5a9777064d8662d0965b3bc41142ac2f674bf6b4a2
              • Opcode Fuzzy Hash: 31574fd9a8c9b0549243c9eff2e3c31631cb87dfec37e19aa4991735c787d8c3
              • Instruction Fuzzy Hash: 02F0282130824097C709A67C99957FD27975FD312472843AAD125DF7D6CE618C0A8363
              Function 050B8968 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: ,)l
              • API String ID: 0-1778001103
              • Opcode ID: 20270ddaf2d44aad4fa8ad3780a0c0a55ad1869fac407d28d47cefc4ff980ad1
              • Instruction ID: 82fe868f4278b9f5346046693cc008732b7cd9bd0b7055f32dd47ca6cd365c20
              • Opcode Fuzzy Hash: 20270ddaf2d44aad4fa8ad3780a0c0a55ad1869fac407d28d47cefc4ff980ad1
              • Instruction Fuzzy Hash: 65F0B422304101939B08A67968956FE72CF9FD61347588729D12A9FBE4CE61CC0642A7
              Function 050B7730 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: ,)l
              • API String ID: 0-1778001103
              • Opcode ID: 04155d265d0d09da119900f303df1f39550e372cb86abbd63c51a83c69d42ee6
              • Instruction ID: c4347476ec34a404a6dab57a0fe7764f415b125c49d9584cfddd2f2a65de96a8
              • Opcode Fuzzy Hash: 04155d265d0d09da119900f303df1f39550e372cb86abbd63c51a83c69d42ee6
              • Instruction Fuzzy Hash: C7F0B421308111934708B67D99956ED72CB9BD61343548329912A9F7D4CE60CC0542A7
              Function 050B92D9 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: L.l
              • API String ID: 0-1469302089
              • Opcode ID: 9a65e3bca7f91b7e14d2c69022e3489c3a2928235122933f3239daed2757fb0f
              • Instruction ID: e5f6253c1d852b715bd50423ab9ecf8b00c300973ed06309fb4aeb58beba7f71
              • Opcode Fuzzy Hash: 9a65e3bca7f91b7e14d2c69022e3489c3a2928235122933f3239daed2757fb0f
              • Instruction Fuzzy Hash: 41F0A434B0061A9BDF04EFB0E995ADEB3A2EF98608F108A24D5015F794DF70DD0587A6
              Function 050B6078 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: MS}k^
              • API String ID: 0-1620303470
              • Opcode ID: cfa772964a9a141c383aa7f009be33c8e4444a6820ef6485d54b7bcac216ca3d
              • Instruction ID: e8a3e44f15e42db55608ac8b428a036cd98d28bc2ed070d7c152702631b29122
              • Opcode Fuzzy Hash: cfa772964a9a141c383aa7f009be33c8e4444a6820ef6485d54b7bcac216ca3d
              • Instruction Fuzzy Hash: BFF082207986169FBA08EAB7A955BFF32CA5B80448F048439E403DB684EF93D8414396
              Function 050B6140 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: =S}k^
              • API String ID: 0-2571189921
              • Opcode ID: 1e7a0674f023a8a5d2bb904c80ba132a43fbb060b2fab56e142b5e51d8c41281
              • Instruction ID: 8f8a548af8a44be5851dc64bbe1c6b368c531a5c53eb06c8cb1ee5f429752ef1
              • Opcode Fuzzy Hash: 1e7a0674f023a8a5d2bb904c80ba132a43fbb060b2fab56e142b5e51d8c41281
              • Instruction Fuzzy Hash: 60E04F107497911B9B496FB9581126A3BA66E8244870888AAE846CF3A2DE168D0583DA
              Function 050B61E1 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: MR}k^
              • API String ID: 0-3627006219
              • Opcode ID: 425a0cd4480c2afb8ef8a5a0d54a43cfd462caa7ff4572a56ccc8a37dc5df774
              • Instruction ID: e95b0f7ae46648f4cd0afe7f9996fb47cbd4bdacb454f7487e0f1b83b997c31e
              • Opcode Fuzzy Hash: 425a0cd4480c2afb8ef8a5a0d54a43cfd462caa7ff4572a56ccc8a37dc5df774
              • Instruction Fuzzy Hash: E1E0D871B483902FDB49D7B8585287D7FE9AED211430C84DFD445D7752D6124C01C3D0
              Function 050B6150 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: =S}k^
              • API String ID: 0-2571189921
              • Opcode ID: 4c673f3809e80bb3d6a393d918447207bfe52ad7c3fefb129ab8d56a8823418e
              • Instruction ID: 3383125c2fdcb8d34b8fb1017a68e8cdde40dfe04e8122cb6d0f640f7e1e27a2
              • Opcode Fuzzy Hash: 4c673f3809e80bb3d6a393d918447207bfe52ad7c3fefb129ab8d56a8823418e
              • Instruction Fuzzy Hash: FFD0A71174162517190CAEFA5C0167F32CF9BC1458708C83CE806DB340DF15CC0043D9
              Function 050B61F0 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: MR}k^
              • API String ID: 0-3627006219
              • Opcode ID: 8a6e04ed4d9ba66750af4d2bc6f86d41ddb53489e537bf187722e36f41a83694
              • Instruction ID: fc083ae985bf2a46dc685f23312f9bb5a35bd971b4839d1af8d708255f10ee7b
              • Opcode Fuzzy Hash: 8a6e04ed4d9ba66750af4d2bc6f86d41ddb53489e537bf187722e36f41a83694
              • Instruction Fuzzy Hash: EBD09E253401295B990CA5A9995197973CEEBC5559308845EA519E7751CE629C0283D0
              Function 050B12A0 Relevance: .5, Instructions: 460COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0695c6f49097013522ec994d516aee5a512d23e1fe984a26ff1a23ca46d98da
              • Instruction ID: 84a1238e4669b3be1310d974efb44ced128638187767a14809f543d27e0ca264
              • Opcode Fuzzy Hash: b0695c6f49097013522ec994d516aee5a512d23e1fe984a26ff1a23ca46d98da
              • Instruction Fuzzy Hash: CD22E478A00A49CFC724DF24D4A0AAAB7F2FF48304F1186A9D85A9B755DB34ED45CF41
              Function 050BE21B Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 380cd54e04aba35ff85b1ace8b36ca374ffb5f7083248a1518aa26950ca43a43
              • Instruction ID: 1bbb1d0ca4ce02fbbe58ed3b3f42b88342fcaa69804741baa862d479b1a4407f
              • Opcode Fuzzy Hash: 380cd54e04aba35ff85b1ace8b36ca374ffb5f7083248a1518aa26950ca43a43
              • Instruction Fuzzy Hash: AEC12274A0060A9FDB14DF68D484AAEFBF6FF88310F14C569D81AAB741D770E985CB90
              Function 050B6430 Relevance: .2, Instructions: 241COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17d39edba621391456e7895816761850b66f1000a4e93634fd29fe24a54d7de6
              • Instruction ID: 10e51cc5cb29d813943f943b4ea0a98e00a5a58ba8558ada632e9a310acddc70
              • Opcode Fuzzy Hash: 17d39edba621391456e7895816761850b66f1000a4e93634fd29fe24a54d7de6
              • Instruction Fuzzy Hash: FC817E31A005198FDF15CF10D890AEEB7B3AF45304F05C5A5D90AAF215DBB2AE8ACF91
              Function 05F42980 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc2909ccfe863048cbb7548e6aa021a0f6bf3c24eafe89466a0cd22b1a484b06
              • Instruction ID: 579bbd2e1420b8f49ef5a54c3a2c612b981081e063a96b1e0a4f018d9bdf6d25
              • Opcode Fuzzy Hash: cc2909ccfe863048cbb7548e6aa021a0f6bf3c24eafe89466a0cd22b1a484b06
              • Instruction Fuzzy Hash: AB711939A04205CFDB24DF69C484AA9BFF2BF48324F148569E916A7761CB38E881CF50
              Function 050B7898 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 00aad8bec2d95e4fac26dd43c51c5f4fdae676bae63d30716aa826af9261ad2b
              • Instruction ID: 9fb7585dfe63fd60d79269133c528ac53e1161f6511c17aa3b1000a37490e30f
              • Opcode Fuzzy Hash: 00aad8bec2d95e4fac26dd43c51c5f4fdae676bae63d30716aa826af9261ad2b
              • Instruction Fuzzy Hash: FA31F53190461ACFDF15CF50D8946DEB7B2EF86304F518594D909BB205DBB0AA8ACFC1
              Function 050B74E8 Relevance: .2, Instructions: 159COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7b4a248c2a4347523b2a9137c070d355fcb4d28364f0c3661675154187b1284b
              • Instruction ID: cf9ed1d14ed12cd67ddc1a2ca67b35628c256c3c547ab4d7229554835814cb77
              • Opcode Fuzzy Hash: 7b4a248c2a4347523b2a9137c070d355fcb4d28364f0c3661675154187b1284b
              • Instruction Fuzzy Hash: 0B518E31B002098BDB18EBB9D5946EEB3F7AFD8304B258529C406AB740DF71ED06CB91
              Function 050B85A8 Relevance: .1, Instructions: 147COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89486ecd1c82171716e786b7e9443102f2a79df354671c03c219f26c4ef66c62
              • Instruction ID: fa60b3797706653ab752f177c31ef90100bf5d3adaf864c18047a848ae8a8026
              • Opcode Fuzzy Hash: 89486ecd1c82171716e786b7e9443102f2a79df354671c03c219f26c4ef66c62
              • Instruction Fuzzy Hash: 795102B5D00618CFDB18DFA8DA846DCBBF1FF48314F20866AD45AA7264E771A946CF40
              Function 050B7DD1 Relevance: .1, Instructions: 141COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d03a711ad781e9303b2fbdc323d59f60bdbf73626a714e442d6ca765029b34d2
              • Instruction ID: 413b17d82a246f05feec3a2980c74fa5a0cc5f834b1e7812fb8287a31306ede1
              • Opcode Fuzzy Hash: d03a711ad781e9303b2fbdc323d59f60bdbf73626a714e442d6ca765029b34d2
              • Instruction Fuzzy Hash: 61513934A00215CFEB54DF70D598BECB7F2BF99204F5082A9D40A9B791DB709C45CB62
              Function 050B0BC0 Relevance: .1, Instructions: 134COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 043bedc542e07c4aef3a4bd886c39f678e5e627389eb3d85977935af30e8c757
              • Instruction ID: ac1f1292c8c46886f9081df0f2cb5e4f1850e63bde10f1109b4bacc6a519d3be
              • Opcode Fuzzy Hash: 043bedc542e07c4aef3a4bd886c39f678e5e627389eb3d85977935af30e8c757
              • Instruction Fuzzy Hash: 7D41B831B041148FDB15DB28D4686EF77E7AF86314F1580AAE806EF761CFB29C068792
              Function 050B7068 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 063e68fd9d26c993973d1e6d525ba35969d678545abfe8720b3156cc557e0ca6
              • Instruction ID: 77e17cd535e8fe06137ae6a917b1e4203211d92a1b81d7acccd68c3fc3f00295
              • Opcode Fuzzy Hash: 063e68fd9d26c993973d1e6d525ba35969d678545abfe8720b3156cc557e0ca6
              • Instruction Fuzzy Hash: C141B338B01294CFC719AB75E06416D7BF2BF8B600B644179E956DB746CB32AC41CBA1
              Function 050BDB5F Relevance: .1, Instructions: 118COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9001227f2d6e8cf3437151646a016f05d85f5330b51f7cce7d8fdd7962a188df
              • Instruction ID: 9fba9f6a23cebeb016d9f5f224e399580878f8e6194b1f06a9e8d46146328fd4
              • Opcode Fuzzy Hash: 9001227f2d6e8cf3437151646a016f05d85f5330b51f7cce7d8fdd7962a188df
              • Instruction Fuzzy Hash: 23416431B105168FDB08AB78C859BBEBBF6EFD9604F154069E116DB7A0DF708C058B92
              Function 050B7078 Relevance: .1, Instructions: 115COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75bcad1adf0ba730a29a7246eaad4798d99a6ce340b9c0991ad2663d02a7e78b
              • Instruction ID: df7e2a8237810c6e5e32d8fe1aa3b56726d3309952f9c1a5b7c5a0e502d8444c
              • Opcode Fuzzy Hash: 75bcad1adf0ba730a29a7246eaad4798d99a6ce340b9c0991ad2663d02a7e78b
              • Instruction Fuzzy Hash: 6C41D138701258CF8719BF65E0A416D7BE6BF8A600B640178E916DB74ACF32AC41CBA1
              Function 050B02DA Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a7f02abfa3bfcbacecd990bb9bfde5a31912456164132b0fc63144081d68661
              • Instruction ID: 75419c43f7eed6ac68fad220a616d2db04a7fe84acc39f56a383b4d023ca52f7
              • Opcode Fuzzy Hash: 7a7f02abfa3bfcbacecd990bb9bfde5a31912456164132b0fc63144081d68661
              • Instruction Fuzzy Hash: 07417C70B016049FEB58CB64D5A8BFE77F6BF89714F144069D402AB7A0DBB1AC44CB51
              Function 050B1292 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60fe0b8f4c4249b0372f3dd62450463346c062cd86eab5b584931b4b2c490e1b
              • Instruction ID: 912eb73233e1f9206b690491da647b314c0a19ec65b8de571635f703b19d265b
              • Opcode Fuzzy Hash: 60fe0b8f4c4249b0372f3dd62450463346c062cd86eab5b584931b4b2c490e1b
              • Instruction Fuzzy Hash: E8415734E04259DFDB64DF64D8A0BADBBB2AF4A204F0041E9D40AAB751DB309D84CF52
              Function 050B83F8 Relevance: .1, Instructions: 99COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1db99ec0f39646d9893c8167fab85dbbddf5f130be343838c04b45324ee3e4d2
              • Instruction ID: 34f0e4303f60cc7d2698fdd8e5be2378f4a9b5162698ff97182abf58165bdf68
              • Opcode Fuzzy Hash: 1db99ec0f39646d9893c8167fab85dbbddf5f130be343838c04b45324ee3e4d2
              • Instruction Fuzzy Hash: C2318B35A00006CFDB14DB68E4889EEF7E5FF84324F21C276D91A9B660D770E856CB92
              Function 050B0006 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 74ff41f1035dfb18d3fa3eb6eb08153fe7b435712eca8f073eee6bc2893e3f76
              • Instruction ID: 394aecb8535a851b040e9ad316c55ad753cd90fd051c9d7193a127707a54e657
              • Opcode Fuzzy Hash: 74ff41f1035dfb18d3fa3eb6eb08153fe7b435712eca8f073eee6bc2893e3f76
              • Instruction Fuzzy Hash: 9E317E3051D3C58FC706DF74D8A85997FF2BF57204F49889AE081CB266EB749818CB12
              Function 050B74DA Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d0de480e3e8fe8fdf3b9801832cabad54c321a8ef293233c47f7377a4186f72
              • Instruction ID: 3009eb2272d226ddfcbf6b115b48173b7ce7a459fac85376b3ba0a7d28fe7883
              • Opcode Fuzzy Hash: 9d0de480e3e8fe8fdf3b9801832cabad54c321a8ef293233c47f7377a4186f72
              • Instruction Fuzzy Hash: 60314B31A002099FDB18DBB5D4945EEB7F3EF89304F118569C446AB754DB71AD06CB90
              Function 05F43D30 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 973ad4cb1b8c1a7c3004fac7713405d1afc77093c3ea7405e0bc194ad5386028
              • Instruction ID: df278bc0f3d76a5e6390f58c84fcf07b3e50cf63a81084ad2351c674c122b0e8
              • Opcode Fuzzy Hash: 973ad4cb1b8c1a7c3004fac7713405d1afc77093c3ea7405e0bc194ad5386028
              • Instruction Fuzzy Hash: 0C41F431905B54CED329DB3AC545366BBF6BF85205F14CC6EC19B86AA4CB7AA485CF00
              Function 050B51C0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c8dbb3bef0d0284b1e39c9c2f2f77346c95e8465d7dd691f946e4e29032c83e0
              • Instruction ID: 481ebda758ad17eef27bce551fad4782372704ba047b9fff6bcb37731d73b476
              • Opcode Fuzzy Hash: c8dbb3bef0d0284b1e39c9c2f2f77346c95e8465d7dd691f946e4e29032c83e0
              • Instruction Fuzzy Hash: DE218C70A003098BEF04DBA5D8546EEFBF6AF9A304F114569C406AF340EBB0A949CB81
              Function 050BB4F7 Relevance: .1, Instructions: 90COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 108881ceea464b320e0271c68694de5ca4ff308d287bf54fb1cea0c372bb2c76
              • Instruction ID: c9e5becf86a8763586dbc3ab55c48846c5f224f08b6eaf0368150cec19fb331d
              • Opcode Fuzzy Hash: 108881ceea464b320e0271c68694de5ca4ff308d287bf54fb1cea0c372bb2c76
              • Instruction Fuzzy Hash: F8313474E01208DFDB08EFB9E8889EEBBF2EF89204F109429E415B3324DB359945CB54
              Function 050B8CA0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 40f0335ce5a964a7d9c910bc34e8dfc4b3c8cf9a83ab1ed4813f01b5ab47f912
              • Instruction ID: ca6ff81bf231652eb27e3d17e605caa5eb4f934394a2d4c2b7e9da8632f7d1a4
              • Opcode Fuzzy Hash: 40f0335ce5a964a7d9c910bc34e8dfc4b3c8cf9a83ab1ed4813f01b5ab47f912
              • Instruction Fuzzy Hash: B4210871608A0ACBE304EB65F9C88ED7B7EBF64204754C427D00697625EBB0E8188763
              Function 050B44A0 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ecb82179d50fbedcd8753a7843e1f81869a84c55e6425e2059ecfe93dbf5626
              • Instruction ID: 041060c980ef2459b1faa68e133025cd6145618f0ab297668da03aae2c40b67b
              • Opcode Fuzzy Hash: 5ecb82179d50fbedcd8753a7843e1f81869a84c55e6425e2059ecfe93dbf5626
              • Instruction Fuzzy Hash: 9431B335604659DFDB15EBB4E8588ED7BF2FF4630870580A8D0029B27BDB319955CB82
              Function 050BB781 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d375fa5355e1384050f4296c22223f34170fe3fb4c5f64e40fa12797e4b33381
              • Instruction ID: 292b6a8e13b97b699bd78542dfe1df952931739cda328809fc90c9b2b2bd8781
              • Opcode Fuzzy Hash: d375fa5355e1384050f4296c22223f34170fe3fb4c5f64e40fa12797e4b33381
              • Instruction Fuzzy Hash: 65217831A10205DFDB08EBB9F4985AD7BE3BB85214B50856AE002DB350DF349C05CB52
              Function 050B56C8 Relevance: .1, Instructions: 85COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38c4ff4554f0e2719ae65620f07a1568a47a1eb7f4df2781f255c2b2376e52b9
              • Instruction ID: e0f3af29cdaceaa1afa441666e4e89fbf167069042e562b4090dca2d9f908ca8
              • Opcode Fuzzy Hash: 38c4ff4554f0e2719ae65620f07a1568a47a1eb7f4df2781f255c2b2376e52b9
              • Instruction Fuzzy Hash: 8B21C731B40204DBEB149A74A8957EE7BE6AF88714F1400BAE502EB390EFF64C458791
              Function 050B6E97 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 776ec50c68111c56b32af51dd9cc0ee3d8920d48d280c61f25e335ccc8d34290
              • Instruction ID: bb60760607a53bbd67b03ab66c06b2240ad3159dd0f3c239eb6f05cec1b1174e
              • Opcode Fuzzy Hash: 776ec50c68111c56b32af51dd9cc0ee3d8920d48d280c61f25e335ccc8d34290
              • Instruction Fuzzy Hash: 2E31A17970064A8BC71CAF74D06819C3BE2EF96248B54866DD0269B745DF32DC4ACF82
              Function 050B590F Relevance: .1, Instructions: 80COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50043987a3a6317ddfae71728cc3775a289a272bf3fe34f8e5035f6abbbf656f
              • Instruction ID: 90063b51674d23de8952a7704dc508771891d64913d583819218cb117e43e4b8
              • Opcode Fuzzy Hash: 50043987a3a6317ddfae71728cc3775a289a272bf3fe34f8e5035f6abbbf656f
              • Instruction Fuzzy Hash: 4921F6307001009FEB18E775A8A55FFB7E79FEA25872181BA8047DB751EDB08C05CB62
              Function 050B8BB7 Relevance: .1, Instructions: 80COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3411b9f15fed5fe1c41de505fb63afc866d6efd3ac0c11e9980f109913e66ebb
              • Instruction ID: 4b9b39e81225cb52b19d7920d4a1032589c04c04e3d6c250879090e7ba6f676d
              • Opcode Fuzzy Hash: 3411b9f15fed5fe1c41de505fb63afc866d6efd3ac0c11e9980f109913e66ebb
              • Instruction Fuzzy Hash: FD21F77050D3449EEB19DB34A854AFF7BFA5F43604F18889EC4465B661CBB1A806C782
              Function 050B4998 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 753bf8cee9221ab42605e2c94a723047fbc2c0019a7b9db1e54a7ceffbd30e76
              • Instruction ID: 83466db422bc7f15efed8f0d8392b17bb7f70ca30e987d2825b0e552a5c32590
              • Opcode Fuzzy Hash: 753bf8cee9221ab42605e2c94a723047fbc2c0019a7b9db1e54a7ceffbd30e76
              • Instruction Fuzzy Hash: B5210572F04219EB9F08DEB0A8908FF77B7AFC5724B14412AD502AB681DE701E0A8791
              Function 050B21E8 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26891eb8ed2d64b60a198a22d703eaf7b49d03fe71380d91d41b421119b8a526
              • Instruction ID: 598479068c3e1e37f4e618cc95173b010a674f705f6e765f95a8e71f40a51f07
              • Opcode Fuzzy Hash: 26891eb8ed2d64b60a198a22d703eaf7b49d03fe71380d91d41b421119b8a526
              • Instruction Fuzzy Hash: 52316B34A0820AEFDF88DBA4D1846FDBBF2BF45304F1041AAC412EB660D7719E45CB52
              Function 050B44B0 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c570f399525c7ac327d94c3a07fcb9774a281c3d9c93297c619d57ee5b073176
              • Instruction ID: bccbcea68d11d5e6eb35d66504c9ec5d55391aaec9cb40389422198b11262933
              • Opcode Fuzzy Hash: c570f399525c7ac327d94c3a07fcb9774a281c3d9c93297c619d57ee5b073176
              • Instruction Fuzzy Hash: 3531A23560051ACFDB19EFE5E8588ED77F2FF453087058078E0029B26ADB31AA55CB91
              Function 050BC370 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f557dcaca77592f585814085e3d918e87f19e5d1f62f67d2c4dc583be442da7d
              • Instruction ID: 8ae92b6fb8eedfeb180e43dc95486f6037c0abbba2925f331248da54140b0518
              • Opcode Fuzzy Hash: f557dcaca77592f585814085e3d918e87f19e5d1f62f67d2c4dc583be442da7d
              • Instruction Fuzzy Hash: C221D330208203CFF721CB64E4C89BDBBA6BF46614B994267E886C7291DBB19C00C752
              Function 050B4FF0 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5db483542c0a852490501d625d0209e1cb8942af63c165a0b441eced27178390
              • Instruction ID: 1e6bf0491da756ad80b1135045943f1a6651f5781ea15caa1a68e56dd73e82ac
              • Opcode Fuzzy Hash: 5db483542c0a852490501d625d0209e1cb8942af63c165a0b441eced27178390
              • Instruction Fuzzy Hash: 9021F9752286498BD300E730FCD05FD7363ABD1344B0585AAC0038B65AFF72684697E3
              Function 050B9090 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83e40eca9284484893386a1ef5c67d029bb62a51c5888c4d11817e55f72d5318
              • Instruction ID: ae1cc7542344232d2c41c8098b66a6d23f2dd6f07fd6598b15f1b98ba6ea29fa
              • Opcode Fuzzy Hash: 83e40eca9284484893386a1ef5c67d029bb62a51c5888c4d11817e55f72d5318
              • Instruction Fuzzy Hash: 08213930A08209DFEB44DFA4D4897EEBBF2BB45204F14886AD616A7390DBB49940DF52
              Function 050B5920 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8af43f7fe2f24f058230e490785fe4add266bbc494e47d50c52ff3060db0d90c
              • Instruction ID: 7a270f2e44b639c6a209cdd183559908419619107856c0858c737b4900924bfa
              • Opcode Fuzzy Hash: 8af43f7fe2f24f058230e490785fe4add266bbc494e47d50c52ff3060db0d90c
              • Instruction Fuzzy Hash: AA11B6347000019BEB18E7B6EC955FFB3EB9FEA558B51817990079B750EEB09C0587A2
              Function 050B21F8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e999b9be165f7fb2cd922b891e0ea79722c15ef33cb64c2a978224a62d3c6b06
              • Instruction ID: 449242359b697fc9845831e5dfb1c6e37e7e20596cb2dc7142479613314234fd
              • Opcode Fuzzy Hash: e999b9be165f7fb2cd922b891e0ea79722c15ef33cb64c2a978224a62d3c6b06
              • Instruction Fuzzy Hash: AB21F738A0820AEFEF58DBA4D1856EDB7F2BB45304F10416AC412EB664D7B19E44CB92
              Function 050B45F0 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6757c0a7b184f612ba3bba4b9946cfccea7b974c4328c00839d6e52a43126637
              • Instruction ID: 0f0db6489506fad4144971f3b065f1958c62be37d57386be4d0e3e39cb04ca81
              • Opcode Fuzzy Hash: 6757c0a7b184f612ba3bba4b9946cfccea7b974c4328c00839d6e52a43126637
              • Instruction Fuzzy Hash: D0110432E085558BDF15DA68E4502FF77F3AFC6210F04407ADC46AB252DAB19D19C782
              Function 050B51B0 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57466b7f6dbee15d916b835d68fe53704d4997c03fe5b667f5cf7c25eee2118d
              • Instruction ID: 975711f7ce5435d12c2b6b6a4b3bd18263445dc2700110656c9b5328009b5979
              • Opcode Fuzzy Hash: 57466b7f6dbee15d916b835d68fe53704d4997c03fe5b667f5cf7c25eee2118d
              • Instruction Fuzzy Hash: 50118E719013499FEF05CFA0D8446EEBFF2AF8A300F514469D405AF251E7B5654ACB80
              Function 050BEF88 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da2bafcce051e4312fbcc21b60aa6825d11869ecba63cf426df1429a1fbab336
              • Instruction ID: d9bb9a620df52da7de0e86d7cebc38fd9b812887d4828179f1e02b7e6c3c3689
              • Opcode Fuzzy Hash: da2bafcce051e4312fbcc21b60aa6825d11869ecba63cf426df1429a1fbab336
              • Instruction Fuzzy Hash: 571108333002205BD310DB49EC41ADABBAAEBCA370F19C525E999C7742C675FC018790
              Function 050B50E0 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 35a49da6349a0b9fefc21eea9551c89802e8e1d40d5aaf9ba2b3683a9cfcacac
              • Instruction ID: 5416351394c5d324aaec29c2249ca4a870ca61692299c7058aba126336862898
              • Opcode Fuzzy Hash: 35a49da6349a0b9fefc21eea9551c89802e8e1d40d5aaf9ba2b3683a9cfcacac
              • Instruction Fuzzy Hash: 10112930B005198FAB55EBB8A9542EE77E2AB88204B454575C406DB385FF70AD058BD2
              Function 050B8598 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 072637239e3534910764f2c072c861b619251c6625d1d98076d2b8a7fac4a4c0
              • Instruction ID: 1c8d59d3be20e661fd32afe2c2fdabb27bf35bb3dadf64f9fab2dae35f0f6784
              • Opcode Fuzzy Hash: 072637239e3534910764f2c072c861b619251c6625d1d98076d2b8a7fac4a4c0
              • Instruction Fuzzy Hash: 491156319042449FDB11DBB4E4886EDBBF6FF89300F1481A6D552A71B1D7711E05CB51
              Function 050BF928 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a558ac3cc3a050a51536c35ef19b460485722f916df3a9631794706e808fde8d
              • Instruction ID: ffad48e01ace118573b680945a453631aebfbd05d8b5800afa1b8ac1c1e1a3d8
              • Opcode Fuzzy Hash: a558ac3cc3a050a51536c35ef19b460485722f916df3a9631794706e808fde8d
              • Instruction Fuzzy Hash: 9611C134700002ABD348EB79E894AAE77E7AFC96547248179E406CB350DF719C06CB91
              Function 01330856 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006924768.0000000001330000.00000040.00000020.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 01c22b94794812491ac772f55d84193913fdb7b87079119581dde46a5b695c28
              • Instruction ID: 25bf8212c538bff225fb946040653791f533f8969f7ba8fdaedc1abbf498446d
              • Opcode Fuzzy Hash: 01c22b94794812491ac772f55d84193913fdb7b87079119581dde46a5b695c28
              • Instruction Fuzzy Hash: 83216F3424D3C48FD7178B20C951B15BFB1AF47218F19C5DED4858B6A3C63A980ACB52
              Function 05F43840 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ecbac9b1116acc382278e135ad1909c4711fe28488f58b5b1c8472990a5e145
              • Instruction ID: bf6c80c344cac289a87bfae0b7cbd1892f78dfce5a7ee926a958c7f9d3b9f140
              • Opcode Fuzzy Hash: 7ecbac9b1116acc382278e135ad1909c4711fe28488f58b5b1c8472990a5e145
              • Instruction Fuzzy Hash: E6118E32E08349CBDB14DA64C4497AFFFB7AB88318F14082ED006A7381CB7998858F91
              Function 050B5810 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 618cf70b46be857e01fef863a07613569b24d5452b55d66d39dad3f27a7b8d9a
              • Instruction ID: 7079d3c4058bf49f137e298ee2b7c511194e59fbed3649d1cc038b39516d9971
              • Opcode Fuzzy Hash: 618cf70b46be857e01fef863a07613569b24d5452b55d66d39dad3f27a7b8d9a
              • Instruction Fuzzy Hash: 78119470A04248DFE715DB71E991AEE7BF6AF4A358F2040AAC501AB255F7729901CB90
              Function 050B8820 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c6101ad98ed9a515ef4eec60ed14da914a7bd4a689dbe193725c918ab96ff3b
              • Instruction ID: 74fbec948d2070686554d01735f9fd38801309574e8e4cb0befc229be6cbbf0f
              • Opcode Fuzzy Hash: 6c6101ad98ed9a515ef4eec60ed14da914a7bd4a689dbe193725c918ab96ff3b
              • Instruction Fuzzy Hash: C2118F32604344CFD7299B30E4A05AD7BB7BFD6304B24496AD1438BB60DF71E805CB52
              Function 050BFCA8 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f247bf36097d314b21db01d16fa44b457ff578405c9c2b9477f4fce3fffcb18
              • Instruction ID: 62ad4bde34f05479423253aa2f1f9c854dd64d0139aba9170e152e7f892b038f
              • Opcode Fuzzy Hash: 1f247bf36097d314b21db01d16fa44b457ff578405c9c2b9477f4fce3fffcb18
              • Instruction Fuzzy Hash: 4C111734300A02ABD768DA55D990DAAF3E7FF88214B14C91ED95A47B50CBB1FC42CBA1
              Function 050BFA58 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5936c9f35af923fc44ac6471137624f709d4bf8868361966f0e362340d2ce52f
              • Instruction ID: 9504d3e5c2737df20f23e90a7d1468e89dbd19fc8f84834186b611d1011a4c2c
              • Opcode Fuzzy Hash: 5936c9f35af923fc44ac6471137624f709d4bf8868361966f0e362340d2ce52f
              • Instruction Fuzzy Hash: 8011B6703082469BDB58E63494A84EDB6E7EBD5208744841ED01B9B741EBB1DC0787A2
              Function 0133088C Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006924768.0000000001330000.00000040.00000020.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 582d2ddc8927c7d0906edf583bdbf48e5013afc82a6501ff7e1f3bc60701cfa1
              • Instruction ID: 0809267dd500c669300b113da2d93dd46d5db4b8e0c478df1c9b9f615502296c
              • Opcode Fuzzy Hash: 582d2ddc8927c7d0906edf583bdbf48e5013afc82a6501ff7e1f3bc60701cfa1
              • Instruction Fuzzy Hash: D811A230204284DFE719CB14D940B26BBA5ABC971CF28C99CE5494BB53C77BD803CA85
              Function 050B55D9 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ace3dc972c0a9d8b19665c5784ad50b94a12ebd34d06129452bbf535d6b1df3a
              • Instruction ID: 227ec5c3d3a3c9db4c62c5d75f4bb6fceb954149a054298758290b048c286c6c
              • Opcode Fuzzy Hash: ace3dc972c0a9d8b19665c5784ad50b94a12ebd34d06129452bbf535d6b1df3a
              • Instruction Fuzzy Hash: D1117775604644DFD758EFB5E8506EE7BF2FB85348F1140B9C50587259EF316811CB90
              Function 050B50D0 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66a310e2c67e043631af3f2db1d705aebacb0e87319fe29747a3513529c101e3
              • Instruction ID: a60dfc3f9dd6451b668728850d80e36ea3b34bd3e70a219321cdcd5c52334813
              • Opcode Fuzzy Hash: 66a310e2c67e043631af3f2db1d705aebacb0e87319fe29747a3513529c101e3
              • Instruction Fuzzy Hash: 9F112671B04258AEEB91EB74AC902FF7BE1AB86244B1845AAC405E7741FB7149028BD1
              Function 050BF658 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9a05a2aed41065d2cb5d7bea6770edc5ce4cead25aab46a16754c58a2f122f1
              • Instruction ID: f7b18959b23102fe13b87c785e24303160f5d499c79c60b492f7bbe8b47d3859
              • Opcode Fuzzy Hash: f9a05a2aed41065d2cb5d7bea6770edc5ce4cead25aab46a16754c58a2f122f1
              • Instruction Fuzzy Hash: C2110231700259AFDB44AF78F954BA8BBF7FB86315F4400A9E8059B351CB709C85CB94
              Function 050BF668 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: effdca575877db6e36889bba285154a24fc3a24f2616f2596065930e676fc770
              • Instruction ID: be5a320160432eaa9abd57a08c3748e4f6de4b2d1b9e19a4b4935fa651305ba3
              • Opcode Fuzzy Hash: effdca575877db6e36889bba285154a24fc3a24f2616f2596065930e676fc770
              • Instruction Fuzzy Hash: 2E112571700215AFC748BF78E568B293BE7E7C9205F4801A9E806DB355CF709C85CB94
              Function 050B4869 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b201795e8c380b984cb0edc0a8c62d680ffbc2ca34ae2d8f1cb6bc16f2bd9e2
              • Instruction ID: 898c773478d500e59ceb198667f1b75e41f1b25ac2ef280d6e4b034f4bba3e49
              • Opcode Fuzzy Hash: 0b201795e8c380b984cb0edc0a8c62d680ffbc2ca34ae2d8f1cb6bc16f2bd9e2
              • Instruction Fuzzy Hash: 54117072E052599FCB44EFB894502EF7BF2DF86248B20407AC049EB251EB355A068790
              Function 050B2390 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc0f21d59803747a58b601f018c9f82f9264e968d3fc1a1b9396c087c4ed995b
              • Instruction ID: 3d78d8286a8cf544c4be6f9a5d58e5c1df5c94afcf7f8f0c03c1562b2946d61c
              • Opcode Fuzzy Hash: fc0f21d59803747a58b601f018c9f82f9264e968d3fc1a1b9396c087c4ed995b
              • Instruction Fuzzy Hash: 96118F74D1824ADFDB24DFA0E4906EEBFB2EB45344F00416ED542AB641DBB14846CF52
              Function 050B6271 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e0bdc15116e7c2a83a04d9a6924bf48e22c5bbd33788514aaa920d3cc8f0dc1
              • Instruction ID: 8d64453b12aed3f0a07bbc6164553de676fc850f5d535a693d53e27bf032a4f3
              • Opcode Fuzzy Hash: 0e0bdc15116e7c2a83a04d9a6924bf48e22c5bbd33788514aaa920d3cc8f0dc1
              • Instruction Fuzzy Hash: 23112572A0C7508FFB665BE4A4847EC3BE5EF42214F0804AAE601CF291EBE5080487A1
              Function 050B05BA Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cde91873b5a8ca74d03a462b518f03c7a54f4b02d638049c69262b70a5c95bda
              • Instruction ID: a709a0d277bc0838d5430d239891b33bd8b7b3626bbb170c1aef5b9ed8646038
              • Opcode Fuzzy Hash: cde91873b5a8ca74d03a462b518f03c7a54f4b02d638049c69262b70a5c95bda
              • Instruction Fuzzy Hash: 7F018B317042645F870A677958286BF77EB9FCA68871A446FD006DB392CF7A8C434396
              Function 011EB1EC Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006576156.00000000011E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11e2000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d592d659168db010577f4c62c6eb942c3c62395e8b8e35ec1f4d37ee4135b639
              • Instruction ID: 6b063d6928f651ccbaa40d53232478893ee31f0f6b7b80c9e8fa5a0d9b0d0e84
              • Opcode Fuzzy Hash: d592d659168db010577f4c62c6eb942c3c62395e8b8e35ec1f4d37ee4135b639
              • Instruction Fuzzy Hash: CA11FAB5A08301AFD350CF09DC40E57FBE8EB98660F04896EF95897311D231E9188FA2
              Function 050B8510 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7ac13946d4ca7fa594217a72978dbfa7a4761ae03dc825fb883b5d4a5f6c1f5
              • Instruction ID: f446519d4a767e9ae19d8b81913a566d57bc42c8ed9a3a14c81b477b2ee5ebf7
              • Opcode Fuzzy Hash: c7ac13946d4ca7fa594217a72978dbfa7a4761ae03dc825fb883b5d4a5f6c1f5
              • Instruction Fuzzy Hash: FD01B531A041088BE714CB58E8A47FFB7FA9F94214F14846EC417A7650CBB1EE058BD2
              Function 050B8C08 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 762ae81c42b9aa4c69dadc114dd1f6d1b6a76de36369c7da9ae80da4ca9501c4
              • Instruction ID: 4eb32d3984a5a338f97db20a57552df900c5d31671986cfec2b56eec85aef141
              • Opcode Fuzzy Hash: 762ae81c42b9aa4c69dadc114dd1f6d1b6a76de36369c7da9ae80da4ca9501c4
              • Instruction Fuzzy Hash: C801F571A095088BEB18DA14E8916FFB7FA9F95214F14C42EC407AB360CBB1AD058BC1
              Function 050B5820 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5e877bb6e74b8632dd72835340449ee4abd64e15890f0f22463e5352004ced8
              • Instruction ID: 87038a65832cfa7c1f1d61b8e3e7cd9853d52b3f3c5ccbce4a72c742ad4f6bfd
              • Opcode Fuzzy Hash: f5e877bb6e74b8632dd72835340449ee4abd64e15890f0f22463e5352004ced8
              • Instruction Fuzzy Hash: D111AD70A04208CFE704EF71E991AEEB7B6BB49348F1040AAC802A7245FB729900CB90
              Function 050B8830 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea9886aac21134c20e9a5db34a741fbe5600f4c72cd29c409580a54d5e6e33ba
              • Instruction ID: 56c2d6b8bea6254db5928441659c17e7a8d837e2d379b8639690f8f4e98f2b72
              • Opcode Fuzzy Hash: ea9886aac21134c20e9a5db34a741fbe5600f4c72cd29c409580a54d5e6e33ba
              • Instruction Fuzzy Hash: B1015736B00205CFD728DB70E0A05ADB7B7BFD8200B24492AD14787B60EF71E805CB92
              Function 050BF4A8 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92ed34efa1d7fd2b6913821482afd512d143913aece193db563d479d35fe202c
              • Instruction ID: 7cfc3048f90496b8dd6dbc4e67b1d4c57f3947cb5c21f21b8c4718b3b2058cf0
              • Opcode Fuzzy Hash: 92ed34efa1d7fd2b6913821482afd512d143913aece193db563d479d35fe202c
              • Instruction Fuzzy Hash: 0301B931A081068BEB14DE54FC947FFB7F2AB84214F14446EC90BA7640CBB1AD0587D2
              Function 05F41188 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2091625c4927e07bc86ce30c26d92247a653fa71800665c7bbf668e0d2de9efb
              • Instruction ID: a28ca5db45f13b48c89b56201d7a996c27585606737bc1dc4fa667b2913be47c
              • Opcode Fuzzy Hash: 2091625c4927e07bc86ce30c26d92247a653fa71800665c7bbf668e0d2de9efb
              • Instruction Fuzzy Hash: 4301FD317002149BDB186BF6A8196AF76EEEBDD668710453AE416C7340CE36CC01C7A1
              Function 050B8502 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 334772177a16d3064c13ad42d84c9bd6425d6373983cfb81dd58f6dcbbdd8bab
              • Instruction ID: 07d7cee3ca9a40d75755dbfb06764c944a04e04e9fd72371d09d86c397889d2a
              • Opcode Fuzzy Hash: 334772177a16d3064c13ad42d84c9bd6425d6373983cfb81dd58f6dcbbdd8bab
              • Instruction Fuzzy Hash: CC0184306081449FE715CB3894A46FE7BF69F96304F28846DC0479B661CBB19E06CB81
              Function 050BF498 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65fbf1f0be8628f7904e6af4f3702862ca9faf708ff970a31ae60da4d6ea0adc
              • Instruction ID: f8c8f08b09398689c7933e7a15c9f16fd1590ee348ade5743a8198490a46f554
              • Opcode Fuzzy Hash: 65fbf1f0be8628f7904e6af4f3702862ca9faf708ff970a31ae60da4d6ea0adc
              • Instruction Fuzzy Hash: 5D019631A041069BEB29DE14EC957FF7BF2AB85204F24446DC90AA7741CBB1AD058BD2
              Function 050B88D2 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d33fc90d752bfe942d7240dee3a790e317052944b3c61a605a91131ef170468d
              • Instruction ID: 3b99d6d1f114b851771afb3b80f66d7c8f0dc26a1338253c7da9a0100c644c70
              • Opcode Fuzzy Hash: d33fc90d752bfe942d7240dee3a790e317052944b3c61a605a91131ef170468d
              • Instruction Fuzzy Hash: F201B5327006499FC7189A79E0944ADB7A7FFD5218318893DD15A8BB10DB71AC05CBA2
              Function 050B1209 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f06c2ae6b401e0c840f8e8486c8818ceb854abebb84641ca66fabe55f1c868bd
              • Instruction ID: db30c936450dd5efc20b331124bc8d19e8472e881a9d5aa4abbee94446940534
              • Opcode Fuzzy Hash: f06c2ae6b401e0c840f8e8486c8818ceb854abebb84641ca66fabe55f1c868bd
              • Instruction Fuzzy Hash: D30125303081908FCB09D738E0689AD7BE6AF9B604B1540EAD446CB7B5CFB18C19CB92
              Function 050BD910 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e558c206d48b05381fa1fa82ef7be8c79b1b645ce797e9c48bbb19fb09674751
              • Instruction ID: 2ea91f6d40820ad44f0b83c8790b4f5b1571fc4bd4e982ba344ccd620a4b8359
              • Opcode Fuzzy Hash: e558c206d48b05381fa1fa82ef7be8c79b1b645ce797e9c48bbb19fb09674751
              • Instruction Fuzzy Hash: 25014F76E002098FDF90EBB9A855BEEFBF5FB84214F10413AD619D3280EB7055498BD1
              Function 050B8F78 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 280a4fbe662bf821916c0a79fec2f39ad3a74b73095ff3d85c06867fc09b74bd
              • Instruction ID: 13660a2e3749d3be487b5786c4a53b0218c64b96c242d9a95b55d2e28a4e558d
              • Opcode Fuzzy Hash: 280a4fbe662bf821916c0a79fec2f39ad3a74b73095ff3d85c06867fc09b74bd
              • Instruction Fuzzy Hash: 1501B1323041098BDB18EA68E4552ED37A3AFEA2147088439E10BCB752DF76DC0A8B53
              Function 013305E0 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006924768.0000000001330000.00000040.00000020.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0fdd142c5501422f275b4bc457c388d30cba295875a2b710974a2c2f6b49fac0
              • Instruction ID: 67076a0a8a76aba03759dcb362bcb4141838814c3dacf604e71dc6736a8dd556
              • Opcode Fuzzy Hash: 0fdd142c5501422f275b4bc457c388d30cba295875a2b710974a2c2f6b49fac0
              • Instruction Fuzzy Hash: 6301D6B65097806FC7128F15AC41862FFB8DB86120709C4EFEC498B652D265B909CBB2
              Function 050B6DA8 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9125fcd284b0d92651e2f2b9488da15aa6a90f01e6206b5b12fc59168b6d629c
              • Instruction ID: a125b2a58ffd2231357fcf13686e37347c1f6bceac6cf481a2da7e9674e7abdd
              • Opcode Fuzzy Hash: 9125fcd284b0d92651e2f2b9488da15aa6a90f01e6206b5b12fc59168b6d629c
              • Instruction Fuzzy Hash: EE01AD71E001098FDB50EFB8E9517EEB7F4EB88210F01013AC518D3241EB7169048BD1
              Function 050B05C8 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7037340ef0a086ae21f236c235ef2407045acf80ce24d3aaafde5e6b785884be
              • Instruction ID: 4fdff5a140a10b742d228ea23f01759fe6718a9f0d787cdda779ebcd55274e44
              • Opcode Fuzzy Hash: 7037340ef0a086ae21f236c235ef2407045acf80ce24d3aaafde5e6b785884be
              • Instruction Fuzzy Hash: 6BF03A71700428474609767959686BF62DB9FC9A98B19882FE006DB396CFB9CC4703EB
              Function 050BC460 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b34146fa57f704ea0320b361f16271e463539b8ab26f2bebab4e582914966d0
              • Instruction ID: d944897e7e12c4882d792a37314833cfdd94dabe1d43b5828ddcc21ebc9d3f89
              • Opcode Fuzzy Hash: 6b34146fa57f704ea0320b361f16271e463539b8ab26f2bebab4e582914966d0
              • Instruction Fuzzy Hash: 27018B31A0420A8FEB84EBB8E4999FEBBF5FF52214B10856BE155C7301DB7089148B92
              Function 050B6D98 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 664eb57c9b2a1e1d30a5e0e2f9627de21ba37fb3153ce71e41936647f584e5c6
              • Instruction ID: 30cae8a84df45fc506fd7afbe714c3fe9af3eca853debd9cf2ef6e0199120aeb
              • Opcode Fuzzy Hash: 664eb57c9b2a1e1d30a5e0e2f9627de21ba37fb3153ce71e41936647f584e5c6
              • Instruction Fuzzy Hash: 0301B870A006499FDB50EFB8E8A1BEEBBF0AF49610F414079C558D7282E7726905CBD1
              Function 050BDA7F Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c413cd44bb0d5d017254eb1e7b742c88667033e4d0d60163a9ea0d13762bc6e
              • Instruction ID: d5203b0eebf82eaf26a55da712ad302a6c1eab38fa7e4ee3e7393c880ef0e280
              • Opcode Fuzzy Hash: 7c413cd44bb0d5d017254eb1e7b742c88667033e4d0d60163a9ea0d13762bc6e
              • Instruction Fuzzy Hash: 1501FD32304205CFCB04FBB8E08969DB7E3EF882147088139E00ACB704DFB19C468752
              Function 050B8F88 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a1728ddd5350a56595f3147030ce91e22ce7f98a08269fe579ceb303558dca9
              • Instruction ID: dc05daf6d6ccc4e20471a1d48adfb840e719fb0f747e84d62e5cd6c5934fbccc
              • Opcode Fuzzy Hash: 8a1728ddd5350a56595f3147030ce91e22ce7f98a08269fe579ceb303558dca9
              • Instruction Fuzzy Hash: A2F06232304109CB4B18EA69E4555AD76E7BFE92143548939E10BCB351DF76DC068B53
              Function 050B1218 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 284dc55f681ebd70a785cdb0affcb981c9b7c83f0bcb083da56b8143394fac93
              • Instruction ID: b051b70e9e65a9d6e0cf087eea569b0c926218451fa3fc3500f2ead6dd2eeb7f
              • Opcode Fuzzy Hash: 284dc55f681ebd70a785cdb0affcb981c9b7c83f0bcb083da56b8143394fac93
              • Instruction Fuzzy Hash: 67011230304014CBDB08E728E0689AD77E7BFD5605B1540AAE406CB7A5CFB19C19CB96
              Function 050BD901 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c00dff0ad34955eddf9e3ccf95b62bda37b4fc3a10280a2a35b88e5fe1d3beb
              • Instruction ID: b07e82119f914eb7c88b4e78f04fe87953219df8fb51cd497205bf68549ca258
              • Opcode Fuzzy Hash: 7c00dff0ad34955eddf9e3ccf95b62bda37b4fc3a10280a2a35b88e5fe1d3beb
              • Instruction Fuzzy Hash: 22018FB1E0020A8FDB90EBF8A9467EEBBE1BB44224F10012AD619E3384EB305545CBD1
              Function 050B6420 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d7fce27a0d6e3e8f80ff3ab02a83db8bd51216f5d1031cb6e112c4ce164f70f
              • Instruction ID: e26c0781cad21e91965f0cc51512589634bb22c2ff8631df9d239a60f5914add
              • Opcode Fuzzy Hash: 6d7fce27a0d6e3e8f80ff3ab02a83db8bd51216f5d1031cb6e112c4ce164f70f
              • Instruction Fuzzy Hash: FCF02431A04654ABEF509634A4A06FF7BF68B8A648F5000BACD47E7241E7624E06CBC2
              Function 050B83E9 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8cd564965d3dd381c3f5a6bcd6565e698f4ef66cebc63dc7cd1ee296dc7e0a1
              • Instruction ID: e4a12d73dd4250462d6e5f832abf4b5cb6e6f9fddd025368c4ade2654bb8a0fd
              • Opcode Fuzzy Hash: d8cd564965d3dd381c3f5a6bcd6565e698f4ef66cebc63dc7cd1ee296dc7e0a1
              • Instruction Fuzzy Hash: 30F04F31A08245DFDB11EB74E8C48EFBFBAAF8621071484B6D941E7162D37155068762
              Function 050BDA90 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93f6ba7054fdd26883143d392fff52c8b125ad7099e0dc13e47f6c384a549c97
              • Instruction ID: e20b25004c0a50e3f67374c282b0670cd813589555de800d5340462f4163aeac
              • Opcode Fuzzy Hash: 93f6ba7054fdd26883143d392fff52c8b125ad7099e0dc13e47f6c384a549c97
              • Instruction Fuzzy Hash: 6EF0AF32304609DBCB04FB78E45969DB7E7EF992153188579E00ACB714DFB1AC068752
              Function 050B67D9 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 350c2ec2961e93fd46673885e5b37c0b0adb489886ef6d65f1fa63955e2e1c27
              • Instruction ID: fdcd12a3aebd5190345a502441f7fcf3855cb865f220057a7bfdfcf07c253847
              • Opcode Fuzzy Hash: 350c2ec2961e93fd46673885e5b37c0b0adb489886ef6d65f1fa63955e2e1c27
              • Instruction Fuzzy Hash: 81F02B32F40604ABE710CA24BC517FE77F69795780F0041369509873C0F7764A0187C1
              Function 050B67E8 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62bd460feecc8502894e74f6bc8b4bd9ac05925fbe08c6d7e90ad8ae0ebb22a9
              • Instruction ID: eed07aa15063e42de0eaeac4b7e6bfff8c184dc1c73ccbd3b4597aa54a0a7a8b
              • Opcode Fuzzy Hash: 62bd460feecc8502894e74f6bc8b4bd9ac05925fbe08c6d7e90ad8ae0ebb22a9
              • Instruction Fuzzy Hash: 48F0E931F04619D7AB10E27578A01FF77E79785590F400236D90A97340EF665D0587D2
              Function 050BF918 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d303615159966b0ec9f0acfb0fd0ad28b7c7d3f04fb895ba03eedae66266d1a
              • Instruction ID: bf79f939b712b77f8ed9fb1ac0046ef6cb45eac6505018be6a386b22890009b4
              • Opcode Fuzzy Hash: 6d303615159966b0ec9f0acfb0fd0ad28b7c7d3f04fb895ba03eedae66266d1a
              • Instruction Fuzzy Hash: 2BE02B3730001327926C61AD68557AF32CB87D5D307684239E505D7740DE619C0283E5
              Function 050B4931 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a23dfcee822c2817c9c0dc13627385242037a4245f437bb6c2ce852d764c5a7e
              • Instruction ID: e279e9311291d9b4e0f34eedec6ffea9553e5d7b10ae7ef72cd423aab8735449
              • Opcode Fuzzy Hash: a23dfcee822c2817c9c0dc13627385242037a4245f437bb6c2ce852d764c5a7e
              • Instruction Fuzzy Hash: F1F02722B001616BFA24A1B924557FF57C787C2954F1A427EE402DF781CEA18C0313D2
              Function 050B4788 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 06150b1a83adb041626c3fba599998b8705052beda22766ea342e61976d0c68a
              • Instruction ID: 7f39b48b1156499a9e94503fe399872e81832fbf16b0f0295d3d0928c21fdcce
              • Opcode Fuzzy Hash: 06150b1a83adb041626c3fba599998b8705052beda22766ea342e61976d0c68a
              • Instruction Fuzzy Hash: 21F027313442505FCB169BF470642FE3FE29F83254B2444A7D005CF953C75689018382
              Function 050B4699 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 40f4f43aa585fc59f5b3938ff3c561f438a0b3b6cab4950af237015ab9095764
              • Instruction ID: f13e0e3998c23fc832e6f23d0dd1ded23be6c1ea90a0e17f368b36b42c3dee5c
              • Opcode Fuzzy Hash: 40f4f43aa585fc59f5b3938ff3c561f438a0b3b6cab4950af237015ab9095764
              • Instruction Fuzzy Hash: 7EF0E231E443496FDB51CBB8AC11AEBBFF8EB86250F2141ABD548E7152E2310A04C7A1
              Function 050BB481 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 23f220790f8786ef8a8071ff9534b73ed41c51257b332d341bddc8314c928e08
              • Instruction ID: 3f37035e9d80d9fde0c875405192db55203ed4432db7bf120aef5e1effb97109
              • Opcode Fuzzy Hash: 23f220790f8786ef8a8071ff9534b73ed41c51257b332d341bddc8314c928e08
              • Instruction Fuzzy Hash: 3DF0AF3090564ECFD700EFB0E8899DEBF70BB53209F00A099E40097664DB74AD4CCB92
              Function 050B2340 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c73bbcd2a8b6b264bbe7e3f113d3171926101248ad56b820e1ed9fe0091ec5f
              • Instruction ID: c89f62db567d65ae789f9919ca7aef6879b0a81eef4170f259d18ac3437b3962
              • Opcode Fuzzy Hash: 7c73bbcd2a8b6b264bbe7e3f113d3171926101248ad56b820e1ed9fe0091ec5f
              • Instruction Fuzzy Hash: 04F0A039B0D6475BE7359624A8C07FD22CBBBA2A44F188B76C486C6114F5E5C8454342
              Function 050B5FBA Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae89eff9ea7bcc6ce216cad21a1c3e9fb5ae0830993d5a607dae4b57b573d74c
              • Instruction ID: ccc6c069fc09b04fbf90ac9de03ee3a531e853d2409627b4ede294b1cb1b1449
              • Opcode Fuzzy Hash: ae89eff9ea7bcc6ce216cad21a1c3e9fb5ae0830993d5a607dae4b57b573d74c
              • Instruction Fuzzy Hash: 55F08C357443426FC71A667868526AEBBAAAFD7654B2400BBD1458B2A1DA760C028360
              Function 050B5E68 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6cb67dbe69345b0587bf289c7b33b8f1af416126f18c04f7a0baaf4469e75833
              • Instruction ID: e3e3055bbfc960bd0dbc0f294df195d85807b30a7a7304ad67fdbed12cb98f72
              • Opcode Fuzzy Hash: 6cb67dbe69345b0587bf289c7b33b8f1af416126f18c04f7a0baaf4469e75833
              • Instruction Fuzzy Hash: 98F01771D0120A9FCF90DFF898496EEBFF1FB49354F1040BAD018E6201E2365A01CB90
              Function 050BD221 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c026a1a772b24e1f8408662c2281bdea3df681d737f3d9193cafd43407d3b879
              • Instruction ID: dcb084b96404bad81c6756f3ab9cde69ea687862054ebf4d112f6758e3d3e155
              • Opcode Fuzzy Hash: c026a1a772b24e1f8408662c2281bdea3df681d737f3d9193cafd43407d3b879
              • Instruction Fuzzy Hash: 92F08232300205DB8F59A768B4445EDB7A7EFD6169398853EE10ADB350DF72DC078B51
              Function 050B56B9 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 352e70c947bc65b172862801d8c753a2b5a3c6fe0eac01999ba3c099d033439a
              • Instruction ID: 5c122b421600c6bbad673c9ec45db9686e3f787ca5638864c41a9abba9def96e
              • Opcode Fuzzy Hash: 352e70c947bc65b172862801d8c753a2b5a3c6fe0eac01999ba3c099d033439a
              • Instruction Fuzzy Hash: 3EE02B32B042886F9F494A79A8101EFBFF6EF86264F1400BAD904D7340FA215C2187D1
              Function 05F43CD0 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f36132c8478747553eeaffdefcb86d5b3be69927a89e27e20b6c711d025b271
              • Instruction ID: 2e2f92bb1c74aeaf333a5d67435fec2d165e540eb5a02a8a05c7e6c650d7f79d
              • Opcode Fuzzy Hash: 8f36132c8478747553eeaffdefcb86d5b3be69927a89e27e20b6c711d025b271
              • Instruction Fuzzy Hash: E5F05E32904158EFCF41EFA9C8049EEBFF9EF09210B1484A6E558D71A5E73586A0DF91
              Function 01330948 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006924768.0000000001330000.00000040.00000020.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
              • Instruction ID: 2ea6417b67af4670910fd2b350c243d6e9b05c8fd2d30c38a3d2fd749dd0690d
              • Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
              • Instruction Fuzzy Hash: 0EF01D35104644DFC306CB14D940B16FBA2EB89718F24CAADE9491BB62C337E813DA85
              Function 050B47E1 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb91719ded962ad61ebb1ec24421aa9c98199be6b69b45a3a2fc088eaedae077
              • Instruction ID: 6fa48c9d387faa3b9a989a19aa7da7edfdc1e2f0bcd31b137ac7c775f43453a3
              • Opcode Fuzzy Hash: fb91719ded962ad61ebb1ec24421aa9c98199be6b69b45a3a2fc088eaedae077
              • Instruction Fuzzy Hash: B5E0E532A043C09FDB1682356490BFD3BA34BCB654F5640BBC041DB353D49249028350
              Function 050BD228 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b192f09f5c14fa951040111b840e343e0315085e3251a7e963a74ab99746a0df
              • Instruction ID: f29e50492dc414c020837918e1e769016b4d4f5df9e439ee80e3c117e206f554
              • Opcode Fuzzy Hash: b192f09f5c14fa951040111b840e343e0315085e3251a7e963a74ab99746a0df
              • Instruction Fuzzy Hash: 38F0A732300205CB8B59A76CB0445ADB7E7EFD5169394853EE10AC7340DF72DC078751
              Function 050BFC4E Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f0f254769125a67fccb673893620df13c77d4abc5a19a04c2c76cebba2ea8ae5
              • Instruction ID: 3efa0027afc9ee0f9b2cfcbcf6fc3af455083a2a2e7de2ddb9c6899ac37d50ef
              • Opcode Fuzzy Hash: f0f254769125a67fccb673893620df13c77d4abc5a19a04c2c76cebba2ea8ae5
              • Instruction Fuzzy Hash: F7E0D1213182955F4615766D65D04FD376B4AC666530A40A7D505CF352DDD14C4583A2
              Function 050B5882 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b512a56c1c52cb1cbc161b295da1a983aa513f2e10a52f156f92244acf1a58e6
              • Instruction ID: 142756f2afd7d92c8b71f6b12e10006620ec512f1de843c61ca9029f7b7a2b5e
              • Opcode Fuzzy Hash: b512a56c1c52cb1cbc161b295da1a983aa513f2e10a52f156f92244acf1a58e6
              • Instruction Fuzzy Hash: FAF0E530F040088BFB04FBB4FEAD2ED73A2AB88118B4141B6C517E7681FF6098048B82
              Function 050BB0A7 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a88c4ed70b2c63a8ff72822455c56d389748e11671e74c96ce1d63aaff6c7aff
              • Instruction ID: 1f03fd452100f97d4c5519c8cce59cd9bebd0db87d8eb8f0e50f0670a4c745f0
              • Opcode Fuzzy Hash: a88c4ed70b2c63a8ff72822455c56d389748e11671e74c96ce1d63aaff6c7aff
              • Instruction Fuzzy Hash: 64F0E23050460CDBD301EFB4E8459EEBF70AF02309F00A1A8E400672A4DB709A1CDF96
              Function 050B76BF Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73d1467826b93a4753d9a056a6c61910a1e7372998267bea3001732127d5d47e
              • Instruction ID: 3213a4a72650c9817808bda27ea0700eb87cf02280ce0842ea234caf16a271d3
              • Opcode Fuzzy Hash: 73d1467826b93a4753d9a056a6c61910a1e7372998267bea3001732127d5d47e
              • Instruction Fuzzy Hash: F7E06D38B011150BFB68B3F9B8683EDA2829FD5918F800679C156DFBC5EFA04D018BD2
              Function 050BB498 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5e02172e601e4208d3df09db8584d64f14ccad982dc29ec714a1a1986182dc7
              • Instruction ID: 334f23bc7b5a041cc2316b41bbb2865dca2da9aec8ba5c6ebdc366c46b8b236f
              • Opcode Fuzzy Hash: c5e02172e601e4208d3df09db8584d64f14ccad982dc29ec714a1a1986182dc7
              • Instruction Fuzzy Hash: 9EF0F830A0150DDBC700FFA4E585DDEBBB4BB52208F40A168E40567628DB70EA5DDB96
              Function 050BB8A8 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cff87556b2f2cf5713f7e5f7eea2c081d013972b3ab305dff7d7dfe18377178
              • Instruction ID: 7190d6901de85cc25515c0083c836376efb4b1373e2f8026f24d9631c350df3c
              • Opcode Fuzzy Hash: 8cff87556b2f2cf5713f7e5f7eea2c081d013972b3ab305dff7d7dfe18377178
              • Instruction Fuzzy Hash: 9EE02236A04618CBCBA82BA8F404BAC3BE6F70C3A1B020027E90683705CE704C40CBC1
              Function 050BD9BF Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd34c490d253c08d96d94b006069d68d2f5e31fbff041a49863d0247c2f5e913
              • Instruction ID: 2fd95ad36a25302b390824c40cc0cd370645fafec784a353919b2c6d8afa9a09
              • Opcode Fuzzy Hash: dd34c490d253c08d96d94b006069d68d2f5e31fbff041a49863d0247c2f5e913
              • Instruction Fuzzy Hash: D9E0D8313001089BCB85A778F55A7AC7BDBEB4A3A07100156EA0BC7740DE718C024B86
              Function 050BB720 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22a7fd3e0210085c2e8f8e4e45f1d06522063a96b4667b5752f915e7a223ac7a
              • Instruction ID: 549ff9a49182ceb158dfbe984540fd4d319bac2f556846f92ba1da40beedc4f9
              • Opcode Fuzzy Hash: 22a7fd3e0210085c2e8f8e4e45f1d06522063a96b4667b5752f915e7a223ac7a
              • Instruction Fuzzy Hash: BDF0FE30244A0ECBD700EF94FAC4CDE77B6FB612087408513E4014A619DBB0A91E8B97
              Function 050BF3A8 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc60aa39959790a79b4c44d0312935223057d4fe9eadec0db6c2330c7d5928fe
              • Instruction ID: cfb2b40f14359dece09ab91e1391f441e89b5a22b156fd2ffa7d6ce47e565c84
              • Opcode Fuzzy Hash: fc60aa39959790a79b4c44d0312935223057d4fe9eadec0db6c2330c7d5928fe
              • Instruction Fuzzy Hash: ABE06812B001B103C31A3AA9A4063EF71C68F42890F284A29C09ADBFC2ED70EC0047E6
              Function 01330606 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006924768.0000000001330000.00000040.00000020.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cae8b4769080359d5d9d2340d5b7fbb2e56de8a6142b636fa3bdf66695526022
              • Instruction ID: 8224fa882cedb626ae4618c4dc567779c450db7bef1ddafdfe6d4123d28fb702
              • Opcode Fuzzy Hash: cae8b4769080359d5d9d2340d5b7fbb2e56de8a6142b636fa3bdf66695526022
              • Instruction Fuzzy Hash: C8E092B6A006404B9750CF0AEC41462F7D8EB88630748C07FDC0D8B701E235F908CAA5
              Function 011EB23B Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006576156.00000000011E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11e2000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 90a3127f6f70aa5cd85fa03371436dcae5b26ee55913b8301bf2bb0f01ca48b9
              • Instruction ID: 5b9842c8a290701314ffff7dfe6313287aeed136b6046bea652cf6d9f3d0a2c3
              • Opcode Fuzzy Hash: 90a3127f6f70aa5cd85fa03371436dcae5b26ee55913b8301bf2bb0f01ca48b9
              • Instruction Fuzzy Hash: 23E0D8F294020467D3509F069C45F63F798DB55A30F44C567ED085B701E175B5148AF6
              Function 050BECA8 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
              • Instruction ID: f1ff3e46743729211a548d131cea27f2cf1c39e3d6a53726db9ae51c4bf369f5
              • Opcode Fuzzy Hash: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
              • Instruction Fuzzy Hash: D1F0F836200B049F9330CF5AE580C97F7FAEF85620310C97EE59A83A10C771F8058B65
              Function 050BB8B8 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c16dfc3a8d7068bc6c3a797e007bd2a0b379b19225aaddc0265b6e686b66c364
              • Instruction ID: ccfeb0de8efccd0fb1d1ac63b32dd7ca3281b6375622aa1957b90263d05983fd
              • Opcode Fuzzy Hash: c16dfc3a8d7068bc6c3a797e007bd2a0b379b19225aaddc0265b6e686b66c364
              • Instruction Fuzzy Hash: 82E09235F192248B8B6876A8A4187AC77E6E78C591312053AE906C3719CE708C418BD2
              Function 050B8781 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de364faf8e0f4a753b1c9386302299d7e615dfc0d6ffe4ece2ede6500a879f65
              • Instruction ID: 888f7c168a3c43bc3a35b7b3c77fe532dae979572ecf8d4734c5751cb14c07f4
              • Opcode Fuzzy Hash: de364faf8e0f4a753b1c9386302299d7e615dfc0d6ffe4ece2ede6500a879f65
              • Instruction Fuzzy Hash: 27F0A73124868ADBD701EB74EA908DC7F7A6F5611C744D492D0419A239D6B0E809CF53
              Function 050B5FC8 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c68b5df7ad1ae8a53373a95b3f301952eb88508e6bfd7b4aaa120dc6f700022
              • Instruction ID: bbb6fa56c4d843145330756bddceefdea1d68e9f206dd97ac9d0eb7c3d8977b0
              • Opcode Fuzzy Hash: 7c68b5df7ad1ae8a53373a95b3f301952eb88508e6bfd7b4aaa120dc6f700022
              • Instruction Fuzzy Hash: 0FE0863634421667C51961BA6853B6FB2DF4BD5554F10007AA2168B3A0DDB65C0343A5
              Function 050B87D8 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2e42955c2eb9d7baa1b67660da6836d4f299e18e2dddde389033375ca016e80
              • Instruction ID: 1dd10d58084ce6d4bac169b85e333f39b839730faa6cb14e2ff28ec86546b901
              • Opcode Fuzzy Hash: f2e42955c2eb9d7baa1b67660da6836d4f299e18e2dddde389033375ca016e80
              • Instruction Fuzzy Hash: 57E0DF326842089BC34667B4A4695DD3F7A9B46359B145069F002CB2A1EBF69C49CB92
              Function 050BFC98 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e347b2fc99c9835184a63850e6c893bad13fef0d19c8aba73d9d0b194791b25
              • Instruction ID: d6eab3ef0e29ace30dfd5f05cd24689ad22b4faef32735a0a3ef06a986e485b2
              • Opcode Fuzzy Hash: 0e347b2fc99c9835184a63850e6c893bad13fef0d19c8aba73d9d0b194791b25
              • Instruction Fuzzy Hash: D6E01A312142119BC6149749E995ABAB3AAFBC9334B14C46AE90947702CF75EC439B98
              Function 050BB0B8 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 680b3af7847dd05c773f32bf744bcbcb29b90c1aa60d892dd5db85f61adf760f
              • Instruction ID: 52c946c4492bf33773b350645b99858c7ffb81fe355c5d891f30ea658e12c08e
              • Opcode Fuzzy Hash: 680b3af7847dd05c773f32bf744bcbcb29b90c1aa60d892dd5db85f61adf760f
              • Instruction Fuzzy Hash: 9EE0923090010DDBC710EFA4E545DEEBB74BB52309F40A568E40123768DB70AA5CDB9A
              Function 050B6228 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42bb5c0a7b38ce75c61ce6e814154bcda68b6adffe11974cda51f88bd0b7f24d
              • Instruction ID: 3785158fab1f729a166add57e58758ddcf6ca65cfbdeb158510b59738b54b28e
              • Opcode Fuzzy Hash: 42bb5c0a7b38ce75c61ce6e814154bcda68b6adffe11974cda51f88bd0b7f24d
              • Instruction Fuzzy Hash: 9DE04F717482941FDB5997B8585187D7BEAABD2158309849FE945E72A2CA624C02C390
              Function 050B6291 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6554f20a1058016217481339d77f7c0443f0df3a9f70559335b1c5f06a3bc073
              • Instruction ID: 1f0556c540c5cadb1f845d2eae7de0fbb47aa1dfb170ec1508c5d26f26301bc1
              • Opcode Fuzzy Hash: 6554f20a1058016217481339d77f7c0443f0df3a9f70559335b1c5f06a3bc073
              • Instruction Fuzzy Hash: 8AE09B3060CA919FFB5657F460447ED3FE5EF42345B08009BD646C65D1CBD64844C796
              Function 05F43AD0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fecf304f28099c2d5d0a61976be342d9a3d8a166404a4b5c7fd9fd36aeec6393
              • Instruction ID: 2af8c657ab5ebafaa41a6190ef9d1763e6a14595132146cf2893b9b1b9437b4f
              • Opcode Fuzzy Hash: fecf304f28099c2d5d0a61976be342d9a3d8a166404a4b5c7fd9fd36aeec6393
              • Instruction Fuzzy Hash: C8E04F3B28C600DB8724E5118602437BEAFFB401143901C6AD54346EC0E6BEFCC1CF82
              Function 050BFC60 Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b5b09a56057e67b79b3efb425f06257974010a4ecd80b01394cb96f4b77b0fa
              • Instruction ID: a5b46595d8efe8825967704f3aa2b2f2d28c2a61d03fa6d1c3049081f3d7ee24
              • Opcode Fuzzy Hash: 2b5b09a56057e67b79b3efb425f06257974010a4ecd80b01394cb96f4b77b0fa
              • Instruction Fuzzy Hash: 72E02B21324052970919A96D69E08FE738F8BC5625306407BD907CF711DED28C8143A3
              Function 050BB108 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b4d31cf8117159a9cbbc34cfb3ec506ee4f100d926ce5f0214cc9aeb96db23b
              • Instruction ID: 09954dfa5a2093c486b3069d834605cb0ca5b86ea0e623d24117d48845ec46cb
              • Opcode Fuzzy Hash: 6b4d31cf8117159a9cbbc34cfb3ec506ee4f100d926ce5f0214cc9aeb96db23b
              • Instruction Fuzzy Hash: B2E0DF3064230CDFD310EB68EC05BAA73A8EB06608F002899A005D36A0EB75A914CB61
              Function 050B5C81 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3276d252336a228ae25f051ef7f9513191d5a9a9f1e4e9cb93dd45e2c4c5f48
              • Instruction ID: a241b1765e3c5356770706cf323437ce1254d846999784c9322e30eab968305b
              • Opcode Fuzzy Hash: c3276d252336a228ae25f051ef7f9513191d5a9a9f1e4e9cb93dd45e2c4c5f48
              • Instruction Fuzzy Hash: BCE0863164A2955FDB5697B428514EF3BA64F9352430902EBC4469B262ED954D018790
              Function 050BB730 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64fd83be9dc04d94ed0d17b1703ed17219217dae032438558c02524a07acb918
              • Instruction ID: 4bf04c5392f65c5321c7a2280139d41b819c03d2756f6cc6539464472a3b02fb
              • Opcode Fuzzy Hash: 64fd83be9dc04d94ed0d17b1703ed17219217dae032438558c02524a07acb918
              • Instruction Fuzzy Hash: 0AE0E530244A0ECBD700FF94FAC4CDE73A6FB612087809516E4024A728DBB0E91E8B83
              Function 050B62E9 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0175aa7a6f479f97edf921af54c9cd53811d239dba430fec67774655402a5634
              • Instruction ID: 55e5b95e46f71def3a513e4c34890df308d562d6ff5bb43790bf761d8fdfb2c3
              • Opcode Fuzzy Hash: 0175aa7a6f479f97edf921af54c9cd53811d239dba430fec67774655402a5634
              • Instruction Fuzzy Hash: 18E0C272B483102BD76817F47809BBE3BE9D7D1751F080075FA05DA284CA614C024760
              Function 050B8790 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da317c2518660eb660012e53be3ef5f73121e0ac4fc150e31ceedec574fb6a1c
              • Instruction ID: f878aaab4d89b8f8199d658155bfe6d650447693d06340352557e05e07bd3977
              • Opcode Fuzzy Hash: da317c2518660eb660012e53be3ef5f73121e0ac4fc150e31ceedec574fb6a1c
              • Instruction Fuzzy Hash: 79E04F3125450ED7A700EA54FA848DC776EBF6421C340C412E00196628EAB0E5198F43
              Function 050B62A0 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 384f931d4907902e9a99c8965c3ae1945427842b4695371ac503de8330193b89
              • Instruction ID: 7e85caac469b4cbe7bacf71f78ec46b9ccf612c081283ffdef50a673fd4cae7e
              • Opcode Fuzzy Hash: 384f931d4907902e9a99c8965c3ae1945427842b4695371ac503de8330193b89
              • Instruction Fuzzy Hash: 6AD05B3160C81587FF1467E574447ED36C9D704655B080026EB06C63C0CED74D8447EB
              Function 050B62F0 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5625d23b8345d6b3de6267f135a00fe9cbf9319710a44df5b7147d9fe4f26439
              • Instruction ID: 0f53442ac92730a2deed262e6720fa96c5dc874264c8111b144284fd225694ae
              • Opcode Fuzzy Hash: 5625d23b8345d6b3de6267f135a00fe9cbf9319710a44df5b7147d9fe4f26439
              • Instruction Fuzzy Hash: 35D05E3234822027D22822E66809F2A3ADED7C4A62F080031FA05DB284CE658C4243A5
              Function 050B7858 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acd2fc82c21bdf296a340d431c1a6a4ecd000401b4a7dd2169bcadd9f4d7fcba
              • Instruction ID: 48a50f7c300cfadaea9c8ba7f2d93f60af35c390cc559ebb1d9a3157adb37f3f
              • Opcode Fuzzy Hash: acd2fc82c21bdf296a340d431c1a6a4ecd000401b4a7dd2169bcadd9f4d7fcba
              • Instruction Fuzzy Hash: 3ED0C231C88350DAE339C6B6B4807EE76DAEB81604F04056E80470562086E1F884C392
              Function 050B58D6 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c063a280d7d0cd6d5ad9f981643298364a91b5597acba2668bfd0a79d5a40cab
              • Instruction ID: f814a9513f7719a561680d4fd7e6826d08dae3a8f8dbd3c9ff57173de869e4e7
              • Opcode Fuzzy Hash: c063a280d7d0cd6d5ad9f981643298364a91b5597acba2668bfd0a79d5a40cab
              • Instruction Fuzzy Hash: E1D0C231F040088BAF10E7F4F99C0ECB7729B9802870502B7C117A6141FF6084054B96
              Function 050B6238 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f375ebf1cd47021b42eb5cab5c74afea597918022a8f63dc1dd6595d772bae8
              • Instruction ID: bd62de54e7790f791c17a3cc9cf3cfb0a6b010ca000d62a7b7fd4a98cfb98652
              • Opcode Fuzzy Hash: 0f375ebf1cd47021b42eb5cab5c74afea597918022a8f63dc1dd6595d772bae8
              • Instruction Fuzzy Hash: 94D05E2134012817990CA5A9885183973CEEBC5459308885EA509D7751CE629C0283D0
              Function 050B016F Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec185d5f47f1c29a91ffd95e5cfcaf3b3eb7eda6062146c5cad8f5ee7f5b9d5b
              • Instruction ID: e21fdd3c8ce7043225efd5258f6c4b5601c10daf4f179d99c0682cf683674d92
              • Opcode Fuzzy Hash: ec185d5f47f1c29a91ffd95e5cfcaf3b3eb7eda6062146c5cad8f5ee7f5b9d5b
              • Instruction Fuzzy Hash: 95E012356513048FC7196BB0E4180AC3BA19F66255B4144BAD016CB255DB3AC581DB00
              Function 050B6068 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fd3fb4835e5b9db7d16084095004cf48bfb5bea110a3019d6ef92c9d7d42640d
              • Instruction ID: 0e69784f0ace178c17eac2d0bd02cad455b39eeedcbea957e6a5b92f5fdae1c5
              • Opcode Fuzzy Hash: fd3fb4835e5b9db7d16084095004cf48bfb5bea110a3019d6ef92c9d7d42640d
              • Instruction Fuzzy Hash: D7D0A73045D7D02FD7230BB03C319FBBFB44B0791430444EFD490C5C3281164561E652
              Function 050B02A1 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b68e9e03c515ba2f88ca0447c30103c44a88e77e6fb0948c4c1d90fac3c6ae0e
              • Instruction ID: 9c84061c13bc75825af7a26c2db2054d95bbb24101a6621563a8c02f2ed7f284
              • Opcode Fuzzy Hash: b68e9e03c515ba2f88ca0447c30103c44a88e77e6fb0948c4c1d90fac3c6ae0e
              • Instruction Fuzzy Hash: 1AE04F3010D7808FD7268B74E56849EBBF1AF97210345888ED0C24A916C621A844C741
              Function 050B7308 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
              • Instruction ID: 71d7141c2de324a8c71c143fc0a8c38b5fdfaa691944baa6b413928242431ab4
              • Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
              • Instruction Fuzzy Hash: 4DD0423AA000048FD714CB88E5849DDF7F1FB88225F29C1A6D915A7252C732EE56CA50
              Function 050B5BF8 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53ad4cf233e438daf117dd1bc811dfb3b49a28a47af06ee851702a4fa55cd3bf
              • Instruction ID: c03a927c318c57cd2242a0d11593f3c3007428a2363a47b584409851ef954665
              • Opcode Fuzzy Hash: 53ad4cf233e438daf117dd1bc811dfb3b49a28a47af06ee851702a4fa55cd3bf
              • Instruction Fuzzy Hash: ABD0123100E7C05FD79217F02C545A93FF54D0764872814E6D88DDD063E1964C45E392
              Function 050B0650 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 551365af3b872ba39a06fb657b4fe34564e1a50e7a073bde5a5c944ad7a33180
              • Instruction ID: b11ab1e7a7d218218db60c33f47b78af8b175e6c0840e8a4a2962b53f1ab578c
              • Opcode Fuzzy Hash: 551365af3b872ba39a06fb657b4fe34564e1a50e7a073bde5a5c944ad7a33180
              • Instruction Fuzzy Hash: 99D05E700CA384DFD35A8FB0A8680EA3B729BA2319704847AE441851B1D67A98C28B12
              Function 011D23F4 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006507689.00000000011D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D2000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11d2000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e14a38eb9c973b8b761ca14a857b9d1c1284835eb710556b30e89641a5404e0b
              • Instruction ID: 1bac1c77cab0de365a8338a8a87d7f192ae359a7c78122e8704c0cc06ff3059d
              • Opcode Fuzzy Hash: e14a38eb9c973b8b761ca14a857b9d1c1284835eb710556b30e89641a5404e0b
              • Instruction Fuzzy Hash: 46D05E793056C14FE31B9A1CC1A4B953BE8AB61714F5A44F9AC008B763C768D581D600
              Function 011D23BC Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3006507689.00000000011D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D2000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_11d2000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3914d2cf7552396fa646f42a57ce24a43926078852ef3dea43e901cacdc0ecae
              • Instruction ID: 9b8f2a38844434436495c0461977734bf332cb6bd00546f2ae7933d3af73f8aa
              • Opcode Fuzzy Hash: 3914d2cf7552396fa646f42a57ce24a43926078852ef3dea43e901cacdc0ecae
              • Instruction Fuzzy Hash: 1FD05E342042814BD719DA0CC6D4F593BD8AB94B14F1A44E8AC208B762CBB4D8D1CA00
              Function 050B7D4E Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92d8ef4690becae1d665b79c3a07367f8640c2286bb83dc8ee38c61fc9a85a7d
              • Instruction ID: 252767d3c2385afa4ee19e33a226084ae2aa163730af8969f2ac762d46cf065e
              • Opcode Fuzzy Hash: 92d8ef4690becae1d665b79c3a07367f8640c2286bb83dc8ee38c61fc9a85a7d
              • Instruction Fuzzy Hash: 14D05EB4900A49CFDB12CFB5E9500EC33F1FB84250B110726D4128B385E3340C01CB20
              Function 050B5558 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b01e5ccc11e453369143f00cca79b5478a5fd51828843ba584c28416b26f411c
              • Instruction ID: 1b7942b011b18aaeabeb727ea3be580dadee247a57872427778ccb279b0b9193
              • Opcode Fuzzy Hash: b01e5ccc11e453369143f00cca79b5478a5fd51828843ba584c28416b26f411c
              • Instruction Fuzzy Hash: 94D0C9704582458BF7B997F5789C7EC7BDBA708206F4801E1F06A88059A7A04AC0C752
              Function 050B5DE8 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 455c801e990dee54d01f6c4e100639cca6e1e7e5e3f9c0eed3ea66658d297838
              • Instruction ID: e0f0e3839818b57977494c59ef3bd4671e47fa39a8c9f494ecf414f7232a8c85
              • Opcode Fuzzy Hash: 455c801e990dee54d01f6c4e100639cca6e1e7e5e3f9c0eed3ea66658d297838
              • Instruction Fuzzy Hash: 93D0C7315493829FD76A8FA4A9814697B747D0321470500FBD455DE056E3A55844CB91
              Function 050B0180 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07ccfd7f34d79e34142c51be1b717b11bbb33e868f7d288464d2ddc3debee529
              • Instruction ID: 3c45c559b70a3526f4c557739db0dc9e56c6219a617647eb80429053ebb36d63
              • Opcode Fuzzy Hash: 07ccfd7f34d79e34142c51be1b717b11bbb33e868f7d288464d2ddc3debee529
              • Instruction Fuzzy Hash: 65D01234201304CBC71C6BF0E11C06833E6AB58616B40087DD4174B349EF36D8C0CB00
              Function 050B5C08 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33a999c9a5a56987adcfc2ad4cd161778f713fc51a0848e7b277d882550d782e
              • Instruction ID: 188605de502ca7e8c5e3f84428cfeeedb67927b93ae4c7671052228f5dbdf29a
              • Opcode Fuzzy Hash: 33a999c9a5a56987adcfc2ad4cd161778f713fc51a0848e7b277d882550d782e
              • Instruction Fuzzy Hash: 91C08C30201A0A8FBA6437F0388C5AD37CE9A4080438000A1E40F9A002FFA0D8804692
              Function 050B0660 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 658691eea3b4acba793029005f3ac8d63f5cf78474c249a91a6ed97c1496a721
              • Instruction ID: be79f4a1e9322f0f88cd98623bdf6861f74082d58cd1d819032da0d2adabfa89
              • Opcode Fuzzy Hash: 658691eea3b4acba793029005f3ac8d63f5cf78474c249a91a6ed97c1496a721
              • Instruction Fuzzy Hash: D7C02B30086204CAA22896F2380C4FF730A57C0309300C436D402000118EB3A8D18652
              Function 050B8DB4 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6cc851502e4d71a9d6515d4cbd7ac17ae4aacc99ece9b12fe0ce8dc2f52b646
              • Instruction ID: bd1a173b728f7da5800cf27fb9c30b2893bab28fbf2beac2328b9545beeccd66
              • Opcode Fuzzy Hash: a6cc851502e4d71a9d6515d4cbd7ac17ae4aacc99ece9b12fe0ce8dc2f52b646
              • Instruction Fuzzy Hash: C8C08C3021084CC74308F620A0950AC36ABEB601043148A10C012C3194DF700C008AA3
              Function 050B5DF8 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6bd288459e18c4fe78f79fcca3586bcf89a21172f2eeb661ce0d2e7347f87c7
              • Instruction ID: aa6401f815ea6934e03ff6615d2ee3bfb57962066064619ed60ca93d781e17ae
              • Opcode Fuzzy Hash: d6bd288459e18c4fe78f79fcca3586bcf89a21172f2eeb661ce0d2e7347f87c7
              • Instruction Fuzzy Hash: 51B09B3150460EC7667C1FE17A4D57D76DD550050534810A1D52DC4544F7D150404791
              Function 050B7A1D Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c6519c0ee583d3794bc39d215775bcbd537918c30d4338b52f867de1848338c
              • Instruction ID: 429f89a06a153b6801714d0695a3bd8d96e1663254fd284bd6cd53003abac9f0
              • Opcode Fuzzy Hash: 7c6519c0ee583d3794bc39d215775bcbd537918c30d4338b52f867de1848338c
              • Instruction Fuzzy Hash: 27C09B37611109CFDB185BD4F4540DCB335FB8026A7104077D12A45185C7335565CB40
              Function 050BFA28 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 61abbc9bc2c2e3917dc0868f46d4b39ac1917730fe6b631e3ecf5ed0138fcf31
              • Instruction ID: 61754b4dfa625a8b66eeb617194ddd97af04da3954f4d90bab933c24151f307a
              • Opcode Fuzzy Hash: 61abbc9bc2c2e3917dc0868f46d4b39ac1917730fe6b631e3ecf5ed0138fcf31
              • Instruction Fuzzy Hash: D1C09BF1617240CFCF1A6F30E5694443B31FE6220234500E6D441D9356DF356846C754
              Function 050B732C Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
              • Instruction ID: 29b2558f8f7062a13938a3f54c6d96e8d27175ea756d5d51ddb053eea274f85e
              • Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
              • Instruction Fuzzy Hash: 18B092B7A04008C9EB10CA84B8813EDF720E790225F104123C71052001C27202648691
              Function 050B9E88 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f335ddd270b8bafa023cb29e9f3824ee1fea152aa333c51fd662f284267019bf
              • Instruction ID: a27d8687fc1a4157dc11709eeb0cd5cb99ed2933e0be7f86d73a322ae8e8d108
              • Opcode Fuzzy Hash: f335ddd270b8bafa023cb29e9f3824ee1fea152aa333c51fd662f284267019bf
              • Instruction Fuzzy Hash: 2EB0123022430C0A2B809AB13C45E6A37CC5540414B441460A50DC0001F955E0500440

              Non-executed Functions

              Function 050B32BB Relevance: 1.4, Strings: 1, Instructions: 186COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: c09f7051d2ae7d191fdba3726649376ab0608e162f8f8926135fe4af8ef5f7af
              • Instruction ID: 7e589da174d67a3ec43e32504acfc5d5435b8ef61f84fcd24ef0b85832ab47ec
              • Opcode Fuzzy Hash: c09f7051d2ae7d191fdba3726649376ab0608e162f8f8926135fe4af8ef5f7af
              • Instruction Fuzzy Hash: C651DF31F081458FDB24CFB9A8845EEBBF3AB8521472489BAD016DB741DB7198068B52
              Function 050BB208 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: :@k
              • API String ID: 0-2277858631
              • Opcode ID: bf3986c771c01cb2a352cc43940f6c7766667f07aa4469d07cc112643830caf1
              • Instruction ID: 70732691f9b2ee24bacf9f35309174bc394b34570e2761f9132e6190854cc01f
              • Opcode Fuzzy Hash: bf3986c771c01cb2a352cc43940f6c7766667f07aa4469d07cc112643830caf1
              • Instruction Fuzzy Hash: A441C0B4E01208DFDB04DFA4D995AAEBBF2FF48304F208169E815A7355DB34A945CF51
              Function 05F342EB Relevance: 1.1, Instructions: 1060COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce9457e604d4c9c00d0073ba3f9ee1674f963772ea4ed6f652a2b9f6c7ff8090
              • Instruction ID: 8d1b9037a27c71d6205777d57d336ccddcc4f3e7c3b135f2ed603c500cabc165
              • Opcode Fuzzy Hash: ce9457e604d4c9c00d0073ba3f9ee1674f963772ea4ed6f652a2b9f6c7ff8090
              • Instruction Fuzzy Hash: 5C92DE6144E3C19FDB138B708CA96917FB0AE13214B1E86EFC8C4CF4A3E25D595AD762
              Function 05F346D3 Relevance: .7, Instructions: 662COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b09f1699bf920d4725c6dbf53b3fc8087d7938aa7f42622333059295ac9e7149
              • Instruction ID: acf993da4b4d82d13071c6e9dae3cdaad495eaf12fa3d6f5b4aa5d0b58d3721f
              • Opcode Fuzzy Hash: b09f1699bf920d4725c6dbf53b3fc8087d7938aa7f42622333059295ac9e7149
              • Instruction Fuzzy Hash: B352CB6144E3C15FCB538B308CA96927FB0AE13214B1E86EFC8C5CF4A3E61D591AD762
              Function 05F33324 Relevance: .3, Instructions: 309COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ee0c311f7b38507ac0eb958db4c1590f29ff86374dd378a90cbf6789aa7b962
              • Instruction ID: 094bc4d19e0ce70b9957982d0425fa77535d8c71c6392bc98d5e79c6b15c78d9
              • Opcode Fuzzy Hash: 2ee0c311f7b38507ac0eb958db4c1590f29ff86374dd378a90cbf6789aa7b962
              • Instruction Fuzzy Hash: 05C12F2140E3D24FCB139B388DB9291BFB19E5721471E8ADBC4C0CF0A7EA691959C762
              Function 050BC6C0 Relevance: .2, Instructions: 239COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 45b3d9780a5ece6ef509964b4b9bad3429a69d25394be8d206a6e441ee674385
              • Instruction ID: a08d421659543429d6ced7e38d315c4ba7208cb5704faff5b31942380a05f287
              • Opcode Fuzzy Hash: 45b3d9780a5ece6ef509964b4b9bad3429a69d25394be8d206a6e441ee674385
              • Instruction Fuzzy Hash: F181A136F111169BE744DB69E984AAEB7E3BFC4314F298075E405DB369DF709C018B90
              Function 050B306F Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d0794eb2b3bfd93ab6770121acf39d7bf18feaaaa359e247b09e15821a0301ec
              • Instruction ID: d3be31fbdd1f95284cc217d2fa11eb398babbbd99da2aead0cbc5f22c3c8c24c
              • Opcode Fuzzy Hash: d0794eb2b3bfd93ab6770121acf39d7bf18feaaaa359e247b09e15821a0301ec
              • Instruction Fuzzy Hash: CD51B232F111159BE744DB69D890BAEB7E3AFC8214F2AC474E405EB769DE74DC028790
              Function 050BC787 Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b81c20a972d2e044455d00b5d2d5a56324efe2851c2da7879491f9cd4f02079
              • Instruction ID: f12820eb335de2fff6c851b6f9a7f4ff51ea5d10f2e42c6843b5c281dc226379
              • Opcode Fuzzy Hash: 5b81c20a972d2e044455d00b5d2d5a56324efe2851c2da7879491f9cd4f02079
              • Instruction Fuzzy Hash: 20519032F114169BE744DB69D884AAEB7E3AFC4214F2A8074E405EB769DF74DD018790
              Function 05F43000 Relevance: 11.7, Strings: 9, Instructions: 467COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3011425243.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: true
              • Associated: 00000000.00000002.3011376200.0000000005F30000.00000004.08000000.00040000.00000000.sdmpDownload File
              • Associated: 00000000.00000002.3011376200.0000000005F3E000.00000004.08000000.00040000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_5f30000_UOp1kufsuw.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 0Xl$0Xl$4l$4l$:@k$:@k$\Ol$\Ol$f`k
              • API String ID: 0-828121884
              • Opcode ID: ea9e91a2013d31865f333c297403019a00c3ee2acd0f6968ecd3a582353236b7
              • Instruction ID: e3934484b2e919eca2bb9234af7bbbd08d15236f99cc1921d8fed8966f7323ef
              • Opcode Fuzzy Hash: ea9e91a2013d31865f333c297403019a00c3ee2acd0f6968ecd3a582353236b7
              • Instruction Fuzzy Hash: 06126D35A04554CFC724DF68C164A69BBF2BF49314F2289A8E8469B7B5CB35EC84CF41
              Function 050B0D97 Relevance: 6.5, Strings: 5, Instructions: 247COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.3009764082.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_50b0000_UOp1kufsuw.jbxd
              Similarity
              • API ID:
              • String ID: 0Xl$4l$:@k$\Ol$f`k
              • API String ID: 0-4284705603
              • Opcode ID: 7201833e7af74731c6651df343f06a02c7c6e5fc7768096ffaa7129e48f7cf5f
              • Instruction ID: fe82be2f5a2e053a335808ece1a00604341b3eda9a1f39684547a8a1719b61bd
              • Opcode Fuzzy Hash: 7201833e7af74731c6651df343f06a02c7c6e5fc7768096ffaa7129e48f7cf5f
              • Instruction Fuzzy Hash: 7EB1E474B083848FD364DF38D1517AA77E2BB96308F50482DE0498BB85EB71D80ADB57