Edit tour

Windows Analysis Report
S1qgnlqr1V.exe

Overview

General Information

Sample name:	S1qgnlqr1V.exe renamed because original name is a hash value
Original sample name:	10b98a933809918bfcdd9c1ea91edee6.exe
Analysis ID:	1544356
MD5:	10b98a933809918bfcdd9c1ea91edee6
SHA1:	4e5f1555f8030aab3e98fe7ef31c8083ba9e32f2
SHA256:	70494a9ed1d509c12c48aa4dc68f06f73bee77a18a625b576dd515e9f4e0d6c3
Tags:	32exetrojan
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

S1qgnlqr1V.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\S1qgnlqr1V.exe" MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

powershell.exe (PID: 6720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

S1qgnlqr1V.exe (PID: 5880 cmdline: "C:\Users\user\Desktop\S1qgnlqr1V.exe" MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

schtasks.exe (PID: 7220 cmdline: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7296 cmdline: "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 1756 MD5: C31336C1EFC2CCB44B4326EA793040F2)

S1qgnlqr1V.exe (PID: 7348 cmdline: C:\Users\user\Desktop\S1qgnlqr1V.exe 0 MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

powershell.exe (PID: 7544 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7912 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

S1qgnlqr1V.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\S1qgnlqr1V.exe" MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

dnshost.exe (PID: 7388 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" 0 MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

powershell.exe (PID: 7552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dnshost.exe (PID: 7576 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

dnshost.exe (PID: 8096 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

dnshost.exe (PID: 8140 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 10B98A933809918BFCDD9C1EA91EDEE6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "a376f716-2f77-4943-a431-3a3bcb53", "Group": "CAT", "Domain1": "66.63.187.113", "Domain2": "66.63.187.113", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfcf5:$v1: NanoCore Client 0xfd05:$v1: NanoCore Client 0x115c6:$v2: PluginCommand 0x115ae:$v3: CommandType
00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ef3d:$a1: NanoCore.ClientPluginHost 0xc1b5d:$a1: NanoCore.ClientPluginHost 0xf457d:$a1: NanoCore.ClientPluginHost 0x8eefd:$a2: NanoCore.ClientPlugin 0xc1b1d:$a2: NanoCore.ClientPlugin 0xf453d:$a2: NanoCore.ClientPlugin 0x90e56:$b1: get_BuilderSettings 0xc3a76:$b1: get_BuilderSettings 0xf6496:$b1: get_BuilderSettings 0x8ed59:$b2: ClientLoaderForm.resources 0xc1979:$b2: ClientLoaderForm.resources 0xf4399:$b2: ClientLoaderForm.resources 0x90576:$b3: PluginCommand 0xc3196:$b3: PluginCommand 0xf5bb6:$b3: PluginCommand 0x8ef2e:$b4: IClientAppHost 0xc1b4e:$b4: IClientAppHost 0xf456e:$b4: IClientAppHost 0x993ae:$b5: GetBlockHash 0xcbfce:$b5: GetBlockHash 0xfe9ee:$b5: GetBlockHash
0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8eca5:$a: NanoCore 0x8ecb5:$a: NanoCore 0x8eee9:$a: NanoCore 0x8eefd:$a: NanoCore 0x8ef3d:$a: NanoCore 0xc18c5:$a: NanoCore 0xc18d5:$a: NanoCore 0xc1b09:$a: NanoCore 0xc1b1d:$a: NanoCore 0xc1b5d:$a: NanoCore 0xf42e5:$a: NanoCore 0xf42f5:$a: NanoCore 0xf4529:$a: NanoCore 0xf453d:$a: NanoCore 0xf457d:$a: NanoCore 0x8ed04:$b: ClientPlugin 0x8ef06:$b: ClientPlugin 0x8ef46:$b: ClientPlugin 0xc1924:$b: ClientPlugin 0xc1b26:$b: ClientPlugin 0xc1b66:$b: ClientPlugin
0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ef3d:$x1: NanoCore.ClientPluginHost 0xc1b5d:$x1: NanoCore.ClientPluginHost 0xf457d:$x1: NanoCore.ClientPluginHost 0x8ef7a:$x2: IClientNetworkHost 0xc1b9a:$x2: IClientNetworkHost 0xf45ba:$x2: IClientNetworkHost 0x92aad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc56cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf80ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x8eca5:$v1: NanoCore Client 0x8ecb5:$v1: NanoCore Client 0xc18c5:$v1: NanoCore Client 0xc18d5:$v1: NanoCore Client 0xf42e5:$v1: NanoCore Client 0xf42f5:$v1: NanoCore Client 0x90576:$v2: PluginCommand 0xc3196:$v2: PluginCommand 0xf5bb6:$v2: PluginCommand 0x9055e:$v3: CommandType 0xc317e:$v3: CommandType 0xf5b9e:$v3: CommandType
00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4365b:$a1: NanoCore.ClientPluginHost 0x56dc9:$a1: NanoCore.ClientPluginHost 0x6fdad:$a1: NanoCore.ClientPluginHost 0x4361e:$a2: NanoCore.ClientPlugin 0x56d94:$a2: NanoCore.ClientPlugin 0x6fd78:$a2: NanoCore.ClientPlugin 0x439f2:$b1: get_BuilderSettings 0x5bd0f:$b1: get_BuilderSettings 0x74cf3:$b1: get_BuilderSettings 0x436a9:$b4: IClientAppHost 0x43a63:$b6: AddHostEntry 0x43ad2:$b7: LogClientException 0x5bc7e:$b7: LogClientException 0x74c62:$b7: LogClientException 0x43a47:$b8: PipeExists 0x43696:$b9: IClientLoggingHost 0x56de3:$b9: IClientLoggingHost 0x6fdc7:$b9: IClientLoggingHost
00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435c5:$a: NanoCore 0x4361e:$a: NanoCore 0x4365b:$a: NanoCore 0x436d4:$a: NanoCore 0x56d7f:$a: NanoCore 0x56d94:$a: NanoCore 0x56dc9:$a: NanoCore 0x6fd63:$a: NanoCore 0x6fd78:$a: NanoCore 0x6fdad:$a: NanoCore 0x43627:$b: ClientPlugin 0x43664:$b: ClientPlugin 0x43f62:$b: ClientPlugin 0x43f6f:$b: ClientPlugin 0x56b3b:$b: ClientPlugin 0x56b56:$b: ClientPlugin 0x56b86:$b: ClientPlugin 0x56d9d:$b: ClientPlugin 0x56dd2:$b: ClientPlugin 0x6fb1f:$b: ClientPlugin 0x6fb3a:$b: ClientPlugin
00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6a12d:$a1: NanoCore.ClientPluginHost 0x6a0f0:$a2: NanoCore.ClientPlugin 0x5b9d7:$b1: get_BuilderSettings 0x6a4c4:$b1: get_BuilderSettings 0x6a17b:$b4: IClientAppHost 0x6a535:$b6: AddHostEntry 0x5b946:$b7: LogClientException 0x6a5a4:$b7: LogClientException 0x6a519:$b8: PipeExists 0x6a168:$b9: IClientLoggingHost
00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6a097:$a: NanoCore 0x6a0f0:$a: NanoCore 0x6a12d:$a: NanoCore 0x6a1a6:$a: NanoCore 0x6a0f9:$b: ClientPlugin 0x6a136:$b: ClientPlugin 0x6aa34:$b: ClientPlugin 0x6aa41:$b: ClientPlugin 0x601d9:$e: KeepAlive 0x6a581:$g: LogClientMessage 0x6a501:$i: get_Connected 0x5a49d:$j: #=q 0x5a4cd:$j: #=q 0x5a509:$j: #=q 0x5a531:$j: #=q 0x5a561:$j: #=q 0x5a591:$j: #=q 0x5a5c1:$j: #=q 0x5a5f1:$j: #=q 0x5a60d:$j: #=q 0x5a63d:$j: #=q
0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8eeed:$a1: NanoCore.ClientPluginHost 0xc1b0d:$a1: NanoCore.ClientPluginHost 0xf452d:$a1: NanoCore.ClientPluginHost 0x8eead:$a2: NanoCore.ClientPlugin 0xc1acd:$a2: NanoCore.ClientPlugin 0xf44ed:$a2: NanoCore.ClientPlugin 0x90e06:$b1: get_BuilderSettings 0xc3a26:$b1: get_BuilderSettings 0xf6446:$b1: get_BuilderSettings 0x8ed09:$b2: ClientLoaderForm.resources 0xc1929:$b2: ClientLoaderForm.resources 0xf4349:$b2: ClientLoaderForm.resources 0x90526:$b3: PluginCommand 0xc3146:$b3: PluginCommand 0xf5b66:$b3: PluginCommand 0x8eede:$b4: IClientAppHost 0xc1afe:$b4: IClientAppHost 0xf451e:$b4: IClientAppHost 0x9935e:$b5: GetBlockHash 0xcbf7e:$b5: GetBlockHash 0xfe99e:$b5: GetBlockHash
0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8ec55:$a: NanoCore 0x8ec65:$a: NanoCore 0x8ee99:$a: NanoCore 0x8eead:$a: NanoCore 0x8eeed:$a: NanoCore 0xc1875:$a: NanoCore 0xc1885:$a: NanoCore 0xc1ab9:$a: NanoCore 0xc1acd:$a: NanoCore 0xc1b0d:$a: NanoCore 0xf4295:$a: NanoCore 0xf42a5:$a: NanoCore 0xf44d9:$a: NanoCore 0xf44ed:$a: NanoCore 0xf452d:$a: NanoCore 0x8ecb4:$b: ClientPlugin 0x8eeb6:$b: ClientPlugin 0x8eef6:$b: ClientPlugin 0xc18d4:$b: ClientPlugin 0xc1ad6:$b: ClientPlugin 0xc1b16:$b: ClientPlugin
0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8eeed:$x1: NanoCore.ClientPluginHost 0xc1b0d:$x1: NanoCore.ClientPluginHost 0xf452d:$x1: NanoCore.ClientPluginHost 0x8ef2a:$x2: IClientNetworkHost 0xc1b4a:$x2: IClientNetworkHost 0xf456a:$x2: IClientNetworkHost 0x92a5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc567d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf809d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x8ec55:$v1: NanoCore Client 0x8ec65:$v1: NanoCore Client 0xc1875:$v1: NanoCore Client 0xc1885:$v1: NanoCore Client 0xf4295:$v1: NanoCore Client 0xf42a5:$v1: NanoCore Client 0x90526:$v2: PluginCommand 0xc3146:$v2: PluginCommand 0xf5b66:$v2: PluginCommand 0x9050e:$v3: CommandType 0xc312e:$v3: CommandType 0xf5b4e:$v3: CommandType
00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dfefd:$a1: NanoCore.ClientPluginHost 0x312b1d:$a1: NanoCore.ClientPluginHost 0x34553d:$a1: NanoCore.ClientPluginHost 0x2dfebd:$a2: NanoCore.ClientPlugin 0x312add:$a2: NanoCore.ClientPlugin 0x3454fd:$a2: NanoCore.ClientPlugin 0x2e1e16:$b1: get_BuilderSettings 0x314a36:$b1: get_BuilderSettings 0x347456:$b1: get_BuilderSettings 0x2dfd19:$b2: ClientLoaderForm.resources 0x312939:$b2: ClientLoaderForm.resources 0x345359:$b2: ClientLoaderForm.resources 0x2e1536:$b3: PluginCommand 0x314156:$b3: PluginCommand 0x346b76:$b3: PluginCommand 0x2dfeee:$b4: IClientAppHost 0x312b0e:$b4: IClientAppHost 0x34552e:$b4: IClientAppHost 0x2ea36e:$b5: GetBlockHash 0x31cf8e:$b5: GetBlockHash 0x34f9ae:$b5: GetBlockHash
00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2dfc65:$a: NanoCore 0x2dfc75:$a: NanoCore 0x2dfea9:$a: NanoCore 0x2dfebd:$a: NanoCore 0x2dfefd:$a: NanoCore 0x312885:$a: NanoCore 0x312895:$a: NanoCore 0x312ac9:$a: NanoCore 0x312add:$a: NanoCore 0x312b1d:$a: NanoCore 0x3452a5:$a: NanoCore 0x3452b5:$a: NanoCore 0x3454e9:$a: NanoCore 0x3454fd:$a: NanoCore 0x34553d:$a: NanoCore 0x2dfcc4:$b: ClientPlugin 0x2dfec6:$b: ClientPlugin 0x2dff06:$b: ClientPlugin 0x3128e4:$b: ClientPlugin 0x312ae6:$b: ClientPlugin 0x312b26:$b: ClientPlugin
00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dfefd:$x1: NanoCore.ClientPluginHost 0x312b1d:$x1: NanoCore.ClientPluginHost 0x34553d:$x1: NanoCore.ClientPluginHost 0x2dff3a:$x2: IClientNetworkHost 0x312b5a:$x2: IClientNetworkHost 0x34557a:$x2: IClientNetworkHost 0x2e3a6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x31668d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3490ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x2dfc65:$v1: NanoCore Client 0x2dfc75:$v1: NanoCore Client 0x312885:$v1: NanoCore Client 0x312895:$v1: NanoCore Client 0x3452a5:$v1: NanoCore Client 0x3452b5:$v1: NanoCore Client 0x2e1536:$v2: PluginCommand 0x314156:$v2: PluginCommand 0x346b76:$v2: PluginCommand 0x2e151e:$v3: CommandType 0x31413e:$v3: CommandType 0x346b5e:$v3: CommandType
00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2e003d:$a1: NanoCore.ClientPluginHost 0x312c5d:$a1: NanoCore.ClientPluginHost 0x34567d:$a1: NanoCore.ClientPluginHost 0x2dfffd:$a2: NanoCore.ClientPlugin 0x312c1d:$a2: NanoCore.ClientPlugin 0x34563d:$a2: NanoCore.ClientPlugin 0x2e1f56:$b1: get_BuilderSettings 0x314b76:$b1: get_BuilderSettings 0x347596:$b1: get_BuilderSettings 0x2dfe59:$b2: ClientLoaderForm.resources 0x312a79:$b2: ClientLoaderForm.resources 0x345499:$b2: ClientLoaderForm.resources 0x2e1676:$b3: PluginCommand 0x314296:$b3: PluginCommand 0x346cb6:$b3: PluginCommand 0x2e002e:$b4: IClientAppHost 0x312c4e:$b4: IClientAppHost 0x34566e:$b4: IClientAppHost 0x2ea4ae:$b5: GetBlockHash 0x31d0ce:$b5: GetBlockHash 0x34faee:$b5: GetBlockHash
00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2dfda5:$a: NanoCore 0x2dfdb5:$a: NanoCore 0x2dffe9:$a: NanoCore 0x2dfffd:$a: NanoCore 0x2e003d:$a: NanoCore 0x3129c5:$a: NanoCore 0x3129d5:$a: NanoCore 0x312c09:$a: NanoCore 0x312c1d:$a: NanoCore 0x312c5d:$a: NanoCore 0x3453e5:$a: NanoCore 0x3453f5:$a: NanoCore 0x345629:$a: NanoCore 0x34563d:$a: NanoCore 0x34567d:$a: NanoCore 0x2dfe04:$b: ClientPlugin 0x2e0006:$b: ClientPlugin 0x2e0046:$b: ClientPlugin 0x312a24:$b: ClientPlugin 0x312c26:$b: ClientPlugin 0x312c66:$b: ClientPlugin
00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2e003d:$x1: NanoCore.ClientPluginHost 0x312c5d:$x1: NanoCore.ClientPluginHost 0x34567d:$x1: NanoCore.ClientPluginHost 0x2e007a:$x2: IClientNetworkHost 0x312c9a:$x2: IClientNetworkHost 0x3456ba:$x2: IClientNetworkHost 0x2e3bad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3167cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3491ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x2dfda5:$v1: NanoCore Client 0x2dfdb5:$v1: NanoCore Client 0x3129c5:$v1: NanoCore Client 0x3129d5:$v1: NanoCore Client 0x3453e5:$v1: NanoCore Client 0x3453f5:$v1: NanoCore Client 0x2e1676:$v2: PluginCommand 0x314296:$v2: PluginCommand 0x346cb6:$v2: PluginCommand 0x2e165e:$v3: CommandType 0x31427e:$v3: CommandType 0x346c9e:$v3: CommandType
0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6a095:$a1: NanoCore.ClientPluginHost 0x6a058:$a2: NanoCore.ClientPlugin 0x5b93f:$b1: get_BuilderSettings 0x6a42c:$b1: get_BuilderSettings 0x6a0e3:$b4: IClientAppHost 0x6a49d:$b6: AddHostEntry 0x5b8ae:$b7: LogClientException 0x6a50c:$b7: LogClientException 0x6a481:$b8: PipeExists 0x6a0d0:$b9: IClientLoggingHost
0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69fff:$a: NanoCore 0x6a058:$a: NanoCore 0x6a095:$a: NanoCore 0x6a10e:$a: NanoCore 0x6a061:$b: ClientPlugin 0x6a09e:$b: ClientPlugin 0x6a99c:$b: ClientPlugin 0x6a9a9:$b: ClientPlugin 0x60141:$e: KeepAlive 0x6a4e9:$g: LogClientMessage 0x6a469:$i: get_Connected 0x5a405:$j: #=q 0x5a435:$j: #=q 0x5a471:$j: #=q 0x5a499:$j: #=q 0x5a4c9:$j: #=q 0x5a4f9:$j: #=q 0x5a529:$j: #=q 0x5a559:$j: #=q 0x5a575:$j: #=q 0x5a5a5:$j: #=q
00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3491d:$a1: NanoCore.ClientPluginHost 0x348e0:$a2: NanoCore.ClientPlugin 0x34cb4:$b1: get_BuilderSettings 0x3496b:$b4: IClientAppHost 0x34d25:$b6: AddHostEntry 0x34d94:$b7: LogClientException 0x34d09:$b8: PipeExists 0x34958:$b9: IClientLoggingHost
Process Memory Space: S1qgnlqr1V.exe PID: 6672	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: S1qgnlqr1V.exe PID: 6672	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: S1qgnlqr1V.exe PID: 6672	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x93dba:$a1: NanoCore.ClientPluginHost 0x93d7a:$a2: NanoCore.ClientPlugin 0x9579f:$b1: get_BuilderSettings 0x93b7a:$b2: ClientLoaderForm.resources 0x94ee8:$b3: PluginCommand 0x93dab:$b4: IClientAppHost 0x9dcc4:$b5: GetBlockHash 0x95dda:$b6: AddHostEntry 0xa0ca4:$b6: AddHostEntry 0xaccd2:$b6: AddHostEntry 0xb80b8:$b6: AddHostEntry 0x99ac4:$b7: LogClientException 0xa47e5:$b7: LogClientException 0xb0813:$b7: LogClientException 0xbbbf9:$b7: LogClientException 0x95d47:$b8: PipeExists 0xa0c18:$b8: PipeExists 0xacc46:$b8: PipeExists 0xb802c:$b8: PipeExists 0x93de4:$b9: IClientLoggingHost
Process Memory Space: S1qgnlqr1V.exe PID: 6672	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x93b10:$a: NanoCore 0x93b20:$a: NanoCore 0x93b95:$a: NanoCore 0x93ba4:$a: NanoCore 0x93d66:$a: NanoCore 0x93d7a:$a: NanoCore 0x93dba:$a: NanoCore 0x9e874:$a: NanoCore 0x9e886:$a: NanoCore 0x9e8c2:$a: NanoCore 0xaa8a2:$a: NanoCore 0xaa8b4:$a: NanoCore 0xaa8f0:$a: NanoCore 0xb5c88:$a: NanoCore 0xb5c9a:$a: NanoCore 0xb5cd6:$a: NanoCore 0x93b34:$b: ClientPlugin 0x93bee:$b: ClientPlugin 0x93d83:$b: ClientPlugin 0x93dc3:$b: ClientPlugin 0x9e88f:$b: ClientPlugin
Process Memory Space: S1qgnlqr1V.exe PID: 6672	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x93dba:$x1: NanoCore.ClientPluginHost 0x93df7:$x2: IClientNetworkHost 0x973d0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa220a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xae238:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb961e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: S1qgnlqr1V.exe PID: 6672	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x93b10:$v1: NanoCore Client 0x93b20:$v1: NanoCore Client 0x93b95:$v1: NanoCore Client 0x93ba4:$v1: NanoCore Client 0x94ee8:$v2: PluginCommand 0x9fde6:$v2: PluginCommand 0xabe14:$v2: PluginCommand 0xb71fa:$v2: PluginCommand 0x94ed0:$v3: CommandType 0x9fdd0:$v3: CommandType 0xabdfe:$v3: CommandType 0xb71e4:$v3: CommandType
Process Memory Space: S1qgnlqr1V.exe PID: 5880	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: S1qgnlqr1V.exe PID: 5880	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1ecb3:$a1: NanoCore.ClientPluginHost 0x3d969:$a1: NanoCore.ClientPluginHost 0x419fc:$a1: NanoCore.ClientPluginHost 0x1ec76:$a2: NanoCore.ClientPlugin 0x3d92c:$a2: NanoCore.ClientPlugin 0x419c7:$a2: NanoCore.ClientPlugin 0x1f026:$b1: get_BuilderSettings 0x3dce3:$b1: get_BuilderSettings 0x467ce:$b1: get_BuilderSettings 0x1ed01:$b4: IClientAppHost 0x3d9b7:$b4: IClientAppHost 0x1f097:$b6: AddHostEntry 0x3dd54:$b6: AddHostEntry 0x1f106:$b7: LogClientException 0x3ddc3:$b7: LogClientException 0x4673d:$b7: LogClientException 0x1f07b:$b8: PipeExists 0x3dd38:$b8: PipeExists 0x1ecee:$b9: IClientLoggingHost 0x3d9a4:$b9: IClientLoggingHost 0x41a16:$b9: IClientLoggingHost
Process Memory Space: S1qgnlqr1V.exe PID: 5880	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x48aa:$a: NanoCore 0xf12f:$a: NanoCore 0xf143:$a: NanoCore 0x13a39:$a: NanoCore 0x13a96:$a: NanoCore 0x13b21:$a: NanoCore 0x1ec1d:$a: NanoCore 0x1ec76:$a: NanoCore 0x1ecb3:$a: NanoCore 0x1ed2c:$a: NanoCore 0x1f5d8:$a: NanoCore 0x1f62b:$a: NanoCore 0x1f664:$a: NanoCore 0x1f6d7:$a: NanoCore 0x3d8d3:$a: NanoCore 0x3d92c:$a: NanoCore 0x3d969:$a: NanoCore 0x3d9e2:$a: NanoCore 0x3e29b:$a: NanoCore 0x3e2ee:$a: NanoCore 0x3e327:$a: NanoCore
Process Memory Space: S1qgnlqr1V.exe PID: 7348	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: S1qgnlqr1V.exe PID: 7348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: S1qgnlqr1V.exe PID: 7348	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4455f:$a1: NanoCore.ClientPluginHost 0x4451f:$a2: NanoCore.ClientPlugin 0x46436:$b1: get_BuilderSettings 0x442e0:$b2: ClientLoaderForm.resources 0x45b56:$b3: PluginCommand 0x44550:$b4: IClientAppHost 0x4e989:$b5: GetBlockHash 0x46a8e:$b6: AddHostEntry 0x51bad:$b6: AddHostEntry 0x5dbfe:$b6: AddHostEntry 0x68fa1:$b6: AddHostEntry 0x4a781:$b7: LogClientException 0x556ee:$b7: LogClientException 0x6173f:$b7: LogClientException 0x6cae2:$b7: LogClientException 0x469fb:$b8: PipeExists 0x51b21:$b8: PipeExists 0x5db72:$b8: PipeExists 0x68f15:$b8: PipeExists 0x44589:$b9: IClientLoggingHost
Process Memory Space: S1qgnlqr1V.exe PID: 7348	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4422c:$a: NanoCore 0x4423c:$a: NanoCore 0x442fb:$a: NanoCore 0x4430a:$a: NanoCore 0x4450b:$a: NanoCore 0x4451f:$a: NanoCore 0x4455f:$a: NanoCore 0x4f77d:$a: NanoCore 0x4f78f:$a: NanoCore 0x4f7cb:$a: NanoCore 0x5b7ce:$a: NanoCore 0x5b7e0:$a: NanoCore 0x5b81c:$a: NanoCore 0x66b71:$a: NanoCore 0x66b83:$a: NanoCore 0x66bbf:$a: NanoCore 0x4428b:$b: ClientPlugin 0x44354:$b: ClientPlugin 0x44528:$b: ClientPlugin 0x44568:$b: ClientPlugin 0x4f798:$b: ClientPlugin
Process Memory Space: S1qgnlqr1V.exe PID: 7348	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4455f:$x1: NanoCore.ClientPluginHost 0x4459c:$x2: IClientNetworkHost 0x4808d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x53113:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5f164:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6a507:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: S1qgnlqr1V.exe PID: 7348	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x4422c:$v1: NanoCore Client 0x4423c:$v1: NanoCore Client 0x442fb:$v1: NanoCore Client 0x4430a:$v1: NanoCore Client 0x45b56:$v2: PluginCommand 0x50cef:$v2: PluginCommand 0x5cd40:$v2: PluginCommand 0x680e3:$v2: PluginCommand 0x45b3e:$v3: CommandType 0x50cd9:$v3: CommandType 0x5cd2a:$v3: CommandType 0x680cd:$v3: CommandType
Process Memory Space: dnshost.exe PID: 7388	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dnshost.exe PID: 7388	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dnshost.exe PID: 7388	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbb78:$a1: NanoCore.ClientPluginHost 0xbb38:$a2: NanoCore.ClientPlugin 0xda4f:$b1: get_BuilderSettings 0xb8f9:$b2: ClientLoaderForm.resources 0xd16f:$b3: PluginCommand 0xbb69:$b4: IClientAppHost 0x15fa2:$b5: GetBlockHash 0xe0a7:$b6: AddHostEntry 0x191c6:$b6: AddHostEntry 0x25217:$b6: AddHostEntry 0x305ba:$b6: AddHostEntry 0x11d9a:$b7: LogClientException 0x1cd07:$b7: LogClientException 0x28d58:$b7: LogClientException 0x340fb:$b7: LogClientException 0xe014:$b8: PipeExists 0x1913a:$b8: PipeExists 0x2518b:$b8: PipeExists 0x3052e:$b8: PipeExists 0xbba2:$b9: IClientLoggingHost
Process Memory Space: dnshost.exe PID: 7388	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb845:$a: NanoCore 0xb855:$a: NanoCore 0xb914:$a: NanoCore 0xb923:$a: NanoCore 0xbb24:$a: NanoCore 0xbb38:$a: NanoCore 0xbb78:$a: NanoCore 0x16d96:$a: NanoCore 0x16da8:$a: NanoCore 0x16de4:$a: NanoCore 0x22de7:$a: NanoCore 0x22df9:$a: NanoCore 0x22e35:$a: NanoCore 0x2e18a:$a: NanoCore 0x2e19c:$a: NanoCore 0x2e1d8:$a: NanoCore 0xb8a4:$b: ClientPlugin 0xb96d:$b: ClientPlugin 0xbb41:$b: ClientPlugin 0xbb81:$b: ClientPlugin 0x16db1:$b: ClientPlugin
Process Memory Space: dnshost.exe PID: 7388	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xbb78:$x1: NanoCore.ClientPluginHost 0xbbb5:$x2: IClientNetworkHost 0xf6a6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a72c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2677d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x31b20:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dnshost.exe PID: 7388	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xb845:$v1: NanoCore Client 0xb855:$v1: NanoCore Client 0xb914:$v1: NanoCore Client 0xb923:$v1: NanoCore Client 0xd16f:$v2: PluginCommand 0x18308:$v2: PluginCommand 0x24359:$v2: PluginCommand 0x2f6fc:$v2: PluginCommand 0xd157:$v3: CommandType 0x182f2:$v3: CommandType 0x24343:$v3: CommandType 0x2f6e6:$v3: CommandType
Process Memory Space: S1qgnlqr1V.exe PID: 7560	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: S1qgnlqr1V.exe PID: 7560	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x24ed8:$a1: NanoCore.ClientPluginHost 0x24e9b:$a2: NanoCore.ClientPlugin 0x1e5e7:$b1: get_BuilderSettings 0x24f26:$b4: IClientAppHost 0x25239:$b6: AddHostEntry 0x1e556:$b7: LogClientException 0x2521d:$b8: PipeExists 0x24f13:$b9: IClientLoggingHost
Process Memory Space: S1qgnlqr1V.exe PID: 7560	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x291:$a: NanoCore 0xca8:$a: NanoCore 0xcd14:$a: NanoCore 0xcd28:$a: NanoCore 0xe237:$a: NanoCore 0xe294:$a: NanoCore 0xe335:$a: NanoCore 0x24e42:$a: NanoCore 0x24e9b:$a: NanoCore 0x24ed8:$a: NanoCore 0x24f51:$a: NanoCore 0x256df:$a: NanoCore 0x25732:$a: NanoCore 0x2576b:$a: NanoCore 0x257de:$a: NanoCore 0x2648d:$a: NanoCore 0x265fc:$a: NanoCore 0x26612:$a: NanoCore 0x2016e:$b: ClientPlugin 0x201af:$b: ClientPlugin 0x24ea4:$b: ClientPlugin
Process Memory Space: dnshost.exe PID: 7576	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dnshost.exe PID: 7576	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x17415:$a1: NanoCore.ClientPluginHost 0x1eaac:$a1: NanoCore.ClientPluginHost 0x37b1d:$a1: NanoCore.ClientPluginHost 0x173d8:$a2: NanoCore.ClientPlugin 0x1ea6c:$a2: NanoCore.ClientPlugin 0x37ae0:$a2: NanoCore.ClientPlugin 0x10b24:$b1: get_BuilderSettings 0x20983:$b1: get_BuilderSettings 0x37e97:$b1: get_BuilderSettings 0x1e82d:$b2: ClientLoaderForm.resources 0x200a3:$b3: PluginCommand 0x17463:$b4: IClientAppHost 0x1ea9d:$b4: IClientAppHost 0x37b6b:$b4: IClientAppHost 0x28ed6:$b5: GetBlockHash 0x17776:$b6: AddHostEntry 0x20fdb:$b6: AddHostEntry 0x2c0fa:$b6: AddHostEntry 0x37f08:$b6: AddHostEntry 0x10a93:$b7: LogClientException 0x24cce:$b7: LogClientException
Process Memory Space: dnshost.exe PID: 7576	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x53e:$a: NanoCore 0x59b:$a: NanoCore 0x623:$a: NanoCore 0x1737f:$a: NanoCore 0x173d8:$a: NanoCore 0x17415:$a: NanoCore 0x1748e:$a: NanoCore 0x17c1c:$a: NanoCore 0x17c6f:$a: NanoCore 0x17ca8:$a: NanoCore 0x17d1b:$a: NanoCore 0x189fd:$a: NanoCore 0x18b6e:$a: NanoCore 0x18b84:$a: NanoCore 0x1e779:$a: NanoCore 0x1e789:$a: NanoCore 0x1e848:$a: NanoCore 0x1e857:$a: NanoCore 0x1ea58:$a: NanoCore 0x1ea6c:$a: NanoCore 0x1eaac:$a: NanoCore
Process Memory Space: dnshost.exe PID: 7576	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x17415:$x1: NanoCore.ClientPluginHost 0x1eaac:$x1: NanoCore.ClientPluginHost 0x37b1d:$x1: NanoCore.ClientPluginHost 0x1742f:$x2: IClientNetworkHost 0x1eae9:$x2: IClientNetworkHost 0x37b37:$x2: IClientNetworkHost 0x225da:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2d660:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dnshost.exe PID: 7576	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x53e:$v1: NanoCore Client 0x59b:$v1: NanoCore Client 0x623:$v1: NanoCore Client 0x189fd:$v1: NanoCore Client 0x18b6e:$v1: NanoCore Client 0x18b84:$v1: NanoCore Client 0x1e779:$v1: NanoCore Client 0x1e789:$v1: NanoCore Client 0x1e848:$v1: NanoCore Client 0x1e857:$v1: NanoCore Client 0x34a08:$v1: NanoCore Client 0x34a1c:$v1: NanoCore Client 0x4c5e4:$v1: NanoCore Client 0x51425:$v1: NanoCore Client 0x200a3:$v2: PluginCommand 0x2b23c:$v2: PluginCommand 0x2008b:$v3: CommandType 0x2b226:$v3: CommandType 0x3b96b:$v3: CommandType 0x409f3:$v3: CommandType 0x46711:$v3: CommandType
Process Memory Space: dnshost.exe PID: 8096	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dnshost.exe PID: 8096	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dnshost.exe PID: 8096	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x7b08e:$a1: NanoCore.ClientPluginHost 0x7b04e:$a2: NanoCore.ClientPlugin 0x7ca73:$b1: get_BuilderSettings 0x7ae4e:$b2: ClientLoaderForm.resources 0x7c1bc:$b3: PluginCommand 0x7b07f:$b4: IClientAppHost 0x84f98:$b5: GetBlockHash 0x7d0ae:$b6: AddHostEntry 0x87f78:$b6: AddHostEntry 0x93fa6:$b6: AddHostEntry 0x9f38c:$b6: AddHostEntry 0x80d98:$b7: LogClientException 0x8bab9:$b7: LogClientException 0x97ae7:$b7: LogClientException 0xa2ecd:$b7: LogClientException 0x7d01b:$b8: PipeExists 0x87eec:$b8: PipeExists 0x93f1a:$b8: PipeExists 0x9f300:$b8: PipeExists 0x7b0b8:$b9: IClientLoggingHost
Process Memory Space: dnshost.exe PID: 8096	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7ade4:$a: NanoCore 0x7adf4:$a: NanoCore 0x7ae69:$a: NanoCore 0x7ae78:$a: NanoCore 0x7b03a:$a: NanoCore 0x7b04e:$a: NanoCore 0x7b08e:$a: NanoCore 0x85b48:$a: NanoCore 0x85b5a:$a: NanoCore 0x85b96:$a: NanoCore 0x91b76:$a: NanoCore 0x91b88:$a: NanoCore 0x91bc4:$a: NanoCore 0x9cf5c:$a: NanoCore 0x9cf6e:$a: NanoCore 0x9cfaa:$a: NanoCore 0x7ae08:$b: ClientPlugin 0x7aec2:$b: ClientPlugin 0x7b057:$b: ClientPlugin 0x7b097:$b: ClientPlugin 0x85b63:$b: ClientPlugin
Process Memory Space: dnshost.exe PID: 8096	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7b08e:$x1: NanoCore.ClientPluginHost 0x7b0cb:$x2: IClientNetworkHost 0x7e6a4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x894de:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9550c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa08f2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dnshost.exe PID: 8096	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x7ade4:$v1: NanoCore Client 0x7adf4:$v1: NanoCore Client 0x7ae69:$v1: NanoCore Client 0x7ae78:$v1: NanoCore Client 0x7c1bc:$v2: PluginCommand 0x870ba:$v2: PluginCommand 0x930e8:$v2: PluginCommand 0x9e4ce:$v2: PluginCommand 0x7c1a4:$v3: CommandType 0x870a4:$v3: CommandType 0x930d2:$v3: CommandType 0x9e4b8:$v3: CommandType
Click to see the 73 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
16.2.dnshost.exe.42f061c.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dnshost.exe.42f061c.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
16.2.dnshost.exe.42f061c.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
16.2.dnshost.exe.42f061c.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
11.2.dnshost.exe.3c5adb0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dnshost.exe.3c5adb0.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
11.2.dnshost.exe.3c5adb0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.dnshost.exe.3c5adb0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dnshost.exe.3c5adb0.2.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
11.2.dnshost.exe.3c5adb0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
10.2.S1qgnlqr1V.exe.4c4d980.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.S1qgnlqr1V.exe.4c4d980.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
10.2.S1qgnlqr1V.exe.4c4d980.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
10.2.S1qgnlqr1V.exe.4c4d980.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.S1qgnlqr1V.exe.4c4d980.2.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
10.2.S1qgnlqr1V.exe.4c4d980.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
19.2.dnshost.exe.43dad70.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dnshost.exe.43dad70.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.2.dnshost.exe.43dad70.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
19.2.dnshost.exe.43dad70.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dnshost.exe.43dad70.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
19.2.dnshost.exe.43dad70.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
16.2.dnshost.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dnshost.exe.3c8d9d0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dnshost.exe.3c8d9d0.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
11.2.dnshost.exe.3c8d9d0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
11.2.dnshost.exe.3c8d9d0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dnshost.exe.3c8d9d0.3.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
11.2.dnshost.exe.3c8d9d0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
16.2.dnshost.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
16.2.dnshost.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.dnshost.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dnshost.exe.400000.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
16.2.dnshost.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
16.2.dnshost.exe.42f4c45.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dnshost.exe.42f4c45.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24168:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x24133:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290ae:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x2901d:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x24182:$b9: IClientLoggingHost
16.2.dnshost.exe.42f4c45.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
16.2.dnshost.exe.42f4c45.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x24133:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24168:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x24127:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24149:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24158:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x24182:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x24195:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241a8:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241b6:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241d2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
16.2.dnshost.exe.330a2b8.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
16.2.dnshost.exe.330a2b8.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
16.2.dnshost.exe.330a2b8.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
16.2.dnshost.exe.42eb7e6.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dnshost.exe.42eb7e6.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5c7:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d592:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x3250d:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x3247c:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e1:$b9: IClientLoggingHost
16.2.dnshost.exe.42eb7e6.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
16.2.dnshost.exe.42eb7e6.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
16.2.dnshost.exe.42eb7e6.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d592:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5c7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d586:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5a8:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5b7:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42b15:$v1: NanoCore Client 0x42b25:$v1: NanoCore Client 0x75535:$v1: NanoCore Client 0x75545:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x443e6:$v2: PluginCommand 0x76e06:$v2: PluginCommand 0x117ae:$v3: CommandType 0x443ce:$v3: CommandType 0x76dee:$v3: CommandType
0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
19.2.dnshost.exe.43dad70.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dnshost.exe.43dad70.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
19.2.dnshost.exe.43dad70.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
19.2.dnshost.exe.43dad70.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dnshost.exe.43dad70.0.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42b15:$v1: NanoCore Client 0x42b25:$v1: NanoCore Client 0x75535:$v1: NanoCore Client 0x75545:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x443e6:$v2: PluginCommand 0x76e06:$v2: PluginCommand 0x117ae:$v3: CommandType 0x443ce:$v3: CommandType 0x76dee:$v3: CommandType
19.2.dnshost.exe.43dad70.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
4.2.S1qgnlqr1V.exe.5580000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.S1qgnlqr1V.exe.5580000.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
4.2.S1qgnlqr1V.exe.5580000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.S1qgnlqr1V.exe.5580000.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf8dcd:$a1: NanoCore.ClientPluginHost 0x12b9ed:$a1: NanoCore.ClientPluginHost 0x15e40d:$a1: NanoCore.ClientPluginHost 0xf8d8d:$a2: NanoCore.ClientPlugin 0x12b9ad:$a2: NanoCore.ClientPlugin 0x15e3cd:$a2: NanoCore.ClientPlugin 0xface6:$b1: get_BuilderSettings 0x12d906:$b1: get_BuilderSettings 0x160326:$b1: get_BuilderSettings 0xf8be9:$b2: ClientLoaderForm.resources 0x12b809:$b2: ClientLoaderForm.resources 0x15e229:$b2: ClientLoaderForm.resources 0xfa406:$b3: PluginCommand 0x12d026:$b3: PluginCommand 0x15fa46:$b3: PluginCommand 0xf8dbe:$b4: IClientAppHost 0x12b9de:$b4: IClientAppHost 0x15e3fe:$b4: IClientAppHost 0x10323e:$b5: GetBlockHash 0x135e5e:$b5: GetBlockHash 0x16887e:$b5: GetBlockHash
0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf8b35:$a: NanoCore 0xf8b45:$a: NanoCore 0xf8d79:$a: NanoCore 0xf8d8d:$a: NanoCore 0xf8dcd:$a: NanoCore 0x12b755:$a: NanoCore 0x12b765:$a: NanoCore 0x12b999:$a: NanoCore 0x12b9ad:$a: NanoCore 0x12b9ed:$a: NanoCore 0x15e175:$a: NanoCore 0x15e185:$a: NanoCore 0x15e3b9:$a: NanoCore 0x15e3cd:$a: NanoCore 0x15e40d:$a: NanoCore 0xf8b94:$b: ClientPlugin 0xf8d96:$b: ClientPlugin 0xf8dd6:$b: ClientPlugin 0x12b7b4:$b: ClientPlugin 0x12b9b6:$b: ClientPlugin 0x12b9f6:$b: ClientPlugin
0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf8dcd:$x1: NanoCore.ClientPluginHost 0x12b9ed:$x1: NanoCore.ClientPluginHost 0x15e40d:$x1: NanoCore.ClientPluginHost 0xf8e0a:$x2: IClientNetworkHost 0x12ba2a:$x2: IClientNetworkHost 0x15e44a:$x2: IClientNetworkHost 0xfc93d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12f55d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x161f7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xf8b35:$v1: NanoCore Client 0xf8b45:$v1: NanoCore Client 0x12b755:$v1: NanoCore Client 0x12b765:$v1: NanoCore Client 0x15e175:$v1: NanoCore Client 0x15e185:$v1: NanoCore Client 0xfa406:$v2: PluginCommand 0x12d026:$v2: PluginCommand 0x15fa46:$v2: PluginCommand 0xfa3ee:$v3: CommandType 0x12d00e:$v3: CommandType 0x15fa2e:$v3: CommandType
0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf8b35:$x1: NanoCore Client 0xf8b45:$x1: NanoCore Client 0x12b755:$x1: NanoCore Client 0x12b765:$x1: NanoCore Client 0x15e175:$x1: NanoCore Client 0x15e185:$x1: NanoCore Client 0xf8d8d:$x2: NanoCore.ClientPlugin 0x12b9ad:$x2: NanoCore.ClientPlugin 0x15e3cd:$x2: NanoCore.ClientPlugin 0xf8dcd:$x3: NanoCore.ClientPluginHost 0x12b9ed:$x3: NanoCore.ClientPluginHost 0x15e40d:$x3: NanoCore.ClientPluginHost 0xf8d82:$i1: IClientApp 0x12b9a2:$i1: IClientApp 0x15e3c2:$i1: IClientApp 0xf8da3:$i2: IClientData 0x12b9c3:$i2: IClientData 0x15e3e3:$i2: IClientData 0xf8daf:$i3: IClientNetwork 0x12b9cf:$i3: IClientNetwork 0x15e3ef:$i3: IClientNetwork
16.2.dnshost.exe.42f061c.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dnshost.exe.42f061c.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28791:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x2875c:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6d7:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d646:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287ab:$b9: IClientLoggingHost
16.2.dnshost.exe.42f061c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
16.2.dnshost.exe.42f061c.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2875c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28791:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28750:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28772:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28781:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287ab:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287be:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287df:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x287fb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x847ad:$a1: NanoCore.ClientPluginHost 0xb73cd:$a1: NanoCore.ClientPluginHost 0xe9ded:$a1: NanoCore.ClientPluginHost 0x8476d:$a2: NanoCore.ClientPlugin 0xb738d:$a2: NanoCore.ClientPlugin 0xe9dad:$a2: NanoCore.ClientPlugin 0x866c6:$b1: get_BuilderSettings 0xb92e6:$b1: get_BuilderSettings 0xebd06:$b1: get_BuilderSettings 0x845c9:$b2: ClientLoaderForm.resources 0xb71e9:$b2: ClientLoaderForm.resources 0xe9c09:$b2: ClientLoaderForm.resources 0x85de6:$b3: PluginCommand 0xb8a06:$b3: PluginCommand 0xeb426:$b3: PluginCommand 0x8479e:$b4: IClientAppHost 0xb73be:$b4: IClientAppHost 0xe9dde:$b4: IClientAppHost 0x8ec1e:$b5: GetBlockHash 0xc183e:$b5: GetBlockHash 0xf425e:$b5: GetBlockHash
0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x84515:$a: NanoCore 0x84525:$a: NanoCore 0x84759:$a: NanoCore 0x8476d:$a: NanoCore 0x847ad:$a: NanoCore 0xb7135:$a: NanoCore 0xb7145:$a: NanoCore 0xb7379:$a: NanoCore 0xb738d:$a: NanoCore 0xb73cd:$a: NanoCore 0xe9b55:$a: NanoCore 0xe9b65:$a: NanoCore 0xe9d99:$a: NanoCore 0xe9dad:$a: NanoCore 0xe9ded:$a: NanoCore 0x84574:$b: ClientPlugin 0x84776:$b: ClientPlugin 0x847b6:$b: ClientPlugin 0xb7194:$b: ClientPlugin 0xb7396:$b: ClientPlugin 0xb73d6:$b: ClientPlugin
0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x847ad:$x1: NanoCore.ClientPluginHost 0xb73cd:$x1: NanoCore.ClientPluginHost 0xe9ded:$x1: NanoCore.ClientPluginHost 0x847ea:$x2: IClientNetworkHost 0xb740a:$x2: IClientNetworkHost 0xe9e2a:$x2: IClientNetworkHost 0x8831d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbaf3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xed95d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x84515:$v1: NanoCore Client 0x84525:$v1: NanoCore Client 0xb7135:$v1: NanoCore Client 0xb7145:$v1: NanoCore Client 0xe9b55:$v1: NanoCore Client 0xe9b65:$v1: NanoCore Client 0x85de6:$v2: PluginCommand 0xb8a06:$v2: PluginCommand 0xeb426:$v2: PluginCommand 0x85dce:$v3: CommandType 0xb89ee:$v3: CommandType 0xeb40e:$v3: CommandType
0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x84515:$x1: NanoCore Client 0x84525:$x1: NanoCore Client 0xb7135:$x1: NanoCore Client 0xb7145:$x1: NanoCore Client 0xe9b55:$x1: NanoCore Client 0xe9b65:$x1: NanoCore Client 0x8476d:$x2: NanoCore.ClientPlugin 0xb738d:$x2: NanoCore.ClientPlugin 0xe9dad:$x2: NanoCore.ClientPlugin 0x847ad:$x3: NanoCore.ClientPluginHost 0xb73cd:$x3: NanoCore.ClientPluginHost 0xe9ded:$x3: NanoCore.ClientPluginHost 0x84762:$i1: IClientApp 0xb7382:$i1: IClientApp 0xe9da2:$i1: IClientApp 0x84783:$i2: IClientData 0xb73a3:$i2: IClientData 0xe9dc3:$i2: IClientData 0x8478f:$i3: IClientNetwork 0xb73af:$i3: IClientNetwork 0xe9dcf:$i3: IClientNetwork
11.2.dnshost.exe.3c8d9d0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dnshost.exe.3c8d9d0.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
11.2.dnshost.exe.3c8d9d0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x168c05:$c: ProjectData 0x1dd225:$c: ProjectData 0x10a82:$d: DESCrypto
11.2.dnshost.exe.3c8d9d0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dnshost.exe.3c8d9d0.3.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42915:$v1: NanoCore Client 0x42925:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x441e6:$v2: PluginCommand 0x117ae:$v3: CommandType 0x441ce:$v3: CommandType
11.2.dnshost.exe.3c8d9d0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
19.2.dnshost.exe.4366750.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dnshost.exe.42f2130.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dnshost.exe.42f2130.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf8dcd:$a1: NanoCore.ClientPluginHost 0x12b9ed:$a1: NanoCore.ClientPluginHost 0x15e40d:$a1: NanoCore.ClientPluginHost 0xf8d8d:$a2: NanoCore.ClientPlugin 0x12b9ad:$a2: NanoCore.ClientPlugin 0x15e3cd:$a2: NanoCore.ClientPlugin 0xface6:$b1: get_BuilderSettings 0x12d906:$b1: get_BuilderSettings 0x160326:$b1: get_BuilderSettings 0xf8be9:$b2: ClientLoaderForm.resources 0x12b809:$b2: ClientLoaderForm.resources 0x15e229:$b2: ClientLoaderForm.resources 0xfa406:$b3: PluginCommand 0x12d026:$b3: PluginCommand 0x15fa46:$b3: PluginCommand 0xf8dbe:$b4: IClientAppHost 0x12b9de:$b4: IClientAppHost 0x15e3fe:$b4: IClientAppHost 0x10323e:$b5: GetBlockHash 0x135e5e:$b5: GetBlockHash 0x16887e:$b5: GetBlockHash
19.2.dnshost.exe.42f2130.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf8b35:$a: NanoCore 0xf8b45:$a: NanoCore 0xf8d79:$a: NanoCore 0xf8d8d:$a: NanoCore 0xf8dcd:$a: NanoCore 0x12b755:$a: NanoCore 0x12b765:$a: NanoCore 0x12b999:$a: NanoCore 0x12b9ad:$a: NanoCore 0x12b9ed:$a: NanoCore 0x15e175:$a: NanoCore 0x15e185:$a: NanoCore 0x15e3b9:$a: NanoCore 0x15e3cd:$a: NanoCore 0x15e40d:$a: NanoCore 0xf8b94:$b: ClientPlugin 0xf8d96:$b: ClientPlugin 0xf8dd6:$b: ClientPlugin 0x12b7b4:$b: ClientPlugin 0x12b9b6:$b: ClientPlugin 0x12b9f6:$b: ClientPlugin
19.2.dnshost.exe.42f2130.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf8dcd:$x1: NanoCore.ClientPluginHost 0x12b9ed:$x1: NanoCore.ClientPluginHost 0x15e40d:$x1: NanoCore.ClientPluginHost 0xf8e0a:$x2: IClientNetworkHost 0x12ba2a:$x2: IClientNetworkHost 0x15e44a:$x2: IClientNetworkHost 0xfc93d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12f55d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x161f7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dnshost.exe.42f2130.2.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xf8b35:$v1: NanoCore Client 0xf8b45:$v1: NanoCore Client 0x12b755:$v1: NanoCore Client 0x12b765:$v1: NanoCore Client 0x15e175:$v1: NanoCore Client 0x15e185:$v1: NanoCore Client 0xfa406:$v2: PluginCommand 0x12d026:$v2: PluginCommand 0x15fa46:$v2: PluginCommand 0xfa3ee:$v3: CommandType 0x12d00e:$v3: CommandType 0x15fa2e:$v3: CommandType
19.2.dnshost.exe.42f2130.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf8b35:$x1: NanoCore Client 0xf8b45:$x1: NanoCore Client 0x12b755:$x1: NanoCore Client 0x12b765:$x1: NanoCore Client 0x15e175:$x1: NanoCore Client 0x15e185:$x1: NanoCore Client 0xf8d8d:$x2: NanoCore.ClientPlugin 0x12b9ad:$x2: NanoCore.ClientPlugin 0x15e3cd:$x2: NanoCore.ClientPlugin 0xf8dcd:$x3: NanoCore.ClientPluginHost 0x12b9ed:$x3: NanoCore.ClientPluginHost 0x15e40d:$x3: NanoCore.ClientPluginHost 0xf8d82:$i1: IClientApp 0x12b9a2:$i1: IClientApp 0x15e3c2:$i1: IClientApp 0xf8da3:$i2: IClientData 0x12b9c3:$i2: IClientData 0x15e3e3:$i2: IClientData 0xf8daf:$i3: IClientNetwork 0x12b9cf:$i3: IClientNetwork 0x15e3ef:$i3: IClientNetwork
19.2.dnshost.exe.4366750.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x847ad:$a1: NanoCore.ClientPluginHost 0xb73cd:$a1: NanoCore.ClientPluginHost 0xe9ded:$a1: NanoCore.ClientPluginHost 0x8476d:$a2: NanoCore.ClientPlugin 0xb738d:$a2: NanoCore.ClientPlugin 0xe9dad:$a2: NanoCore.ClientPlugin 0x866c6:$b1: get_BuilderSettings 0xb92e6:$b1: get_BuilderSettings 0xebd06:$b1: get_BuilderSettings 0x845c9:$b2: ClientLoaderForm.resources 0xb71e9:$b2: ClientLoaderForm.resources 0xe9c09:$b2: ClientLoaderForm.resources 0x85de6:$b3: PluginCommand 0xb8a06:$b3: PluginCommand 0xeb426:$b3: PluginCommand 0x8479e:$b4: IClientAppHost 0xb73be:$b4: IClientAppHost 0xe9dde:$b4: IClientAppHost 0x8ec1e:$b5: GetBlockHash 0xc183e:$b5: GetBlockHash 0xf425e:$b5: GetBlockHash
10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
19.2.dnshost.exe.4366750.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x84515:$a: NanoCore 0x84525:$a: NanoCore 0x84759:$a: NanoCore 0x8476d:$a: NanoCore 0x847ad:$a: NanoCore 0xb7135:$a: NanoCore 0xb7145:$a: NanoCore 0xb7379:$a: NanoCore 0xb738d:$a: NanoCore 0xb73cd:$a: NanoCore 0xe9b55:$a: NanoCore 0xe9b65:$a: NanoCore 0xe9d99:$a: NanoCore 0xe9dad:$a: NanoCore 0xe9ded:$a: NanoCore 0x84574:$b: ClientPlugin 0x84776:$b: ClientPlugin 0x847b6:$b: ClientPlugin 0xb7194:$b: ClientPlugin 0xb7396:$b: ClientPlugin 0xb73d6:$b: ClientPlugin
19.2.dnshost.exe.4366750.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x847ad:$x1: NanoCore.ClientPluginHost 0xb73cd:$x1: NanoCore.ClientPluginHost 0xe9ded:$x1: NanoCore.ClientPluginHost 0x847ea:$x2: IClientNetworkHost 0xb740a:$x2: IClientNetworkHost 0xe9e2a:$x2: IClientNetworkHost 0x8831d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbaf3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xed95d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x168c05:$c: ProjectData 0x1dd225:$c: ProjectData 0x10a82:$d: DESCrypto
10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dnshost.exe.4366750.3.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x84515:$v1: NanoCore Client 0x84525:$v1: NanoCore Client 0xb7135:$v1: NanoCore Client 0xb7145:$v1: NanoCore Client 0xe9b55:$v1: NanoCore Client 0xe9b65:$v1: NanoCore Client 0x85de6:$v2: PluginCommand 0xb8a06:$v2: PluginCommand 0xeb426:$v2: PluginCommand 0x85dce:$v3: CommandType 0xb89ee:$v3: CommandType 0xeb40e:$v3: CommandType
10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42915:$v1: NanoCore Client 0x42925:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x441e6:$v2: PluginCommand 0x117ae:$v3: CommandType 0x441ce:$v3: CommandType
19.2.dnshost.exe.4366750.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x84515:$x1: NanoCore Client 0x84525:$x1: NanoCore Client 0xb7135:$x1: NanoCore Client 0xb7145:$x1: NanoCore Client 0xe9b55:$x1: NanoCore Client 0xe9b65:$x1: NanoCore Client 0x8476d:$x2: NanoCore.ClientPlugin 0xb738d:$x2: NanoCore.ClientPlugin 0xe9dad:$x2: NanoCore.ClientPlugin 0x847ad:$x3: NanoCore.ClientPluginHost 0xb73cd:$x3: NanoCore.ClientPluginHost 0xe9ded:$x3: NanoCore.ClientPluginHost 0x84762:$i1: IClientApp 0xb7382:$i1: IClientApp 0xe9da2:$i1: IClientApp 0x84783:$i2: IClientData 0xb73a3:$i2: IClientData 0xe9dc3:$i2: IClientData 0x8478f:$i3: IClientNetwork 0xb73af:$i3: IClientNetwork 0xe9dcf:$i3: IClientNetwork
10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
11.2.dnshost.exe.3c5adb0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dnshost.exe.3c5adb0.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
11.2.dnshost.exe.3c5adb0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
11.2.dnshost.exe.3c5adb0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dnshost.exe.3c5adb0.2.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42b15:$v1: NanoCore Client 0x42b25:$v1: NanoCore Client 0x75535:$v1: NanoCore Client 0x75545:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x443e6:$v2: PluginCommand 0x76e06:$v2: PluginCommand 0x117ae:$v3: CommandType 0x443ce:$v3: CommandType 0x76dee:$v3: CommandType
11.2.dnshost.exe.3c5adb0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42b15:$v1: NanoCore Client 0x42b25:$v1: NanoCore Client 0x75535:$v1: NanoCore Client 0x75545:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x443e6:$v2: PluginCommand 0x76e06:$v2: PluginCommand 0x117ae:$v3: CommandType 0x443ce:$v3: CommandType 0x76dee:$v3: CommandType
10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
Click to see the 138 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\S1qgnlqr1V.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\S1qgnlqr1V.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\S1qgnlqr1V.exe", ParentImage: C:\Users\user\Desktop\S1qgnlqr1V.exe, ParentProcessId: 6672, ParentProcessName: S1qgnlqr1V.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe", ProcessId: 6720, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\S1qgnlqr1V.exe", ParentImage: C:\Users\user\Desktop\S1qgnlqr1V.exe, ParentProcessId: 5880, ParentProcessName: S1qgnlqr1V.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp", ProcessId: 7220, ProcessName: schtasks.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DNS Host\dnshost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\S1qgnlqr1V.exe, ProcessId: 5880, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Host

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\S1qgnlqr1V.exe", ParentImage: C:\Users\user\Desktop\S1qgnlqr1V.exe, ParentProcessId: 6672, ParentProcessName: S1qgnlqr1V.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe", ProcessId: 6720, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\S1qgnlqr1V.exe", ParentImage: C:\Users\user\Desktop\S1qgnlqr1V.exe, ParentProcessId: 5880, ParentProcessName: S1qgnlqr1V.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp", ProcessId: 7220, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\S1qgnlqr1V.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\S1qgnlqr1V.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Suricata Signatures

ET MALWARE NanoCore RAT CnC 7

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:16:10.554958+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:11.750584+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:18.257728+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-10-29T10:16:23.323327+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:24.335696+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:30.382597+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49739	66.63.187.113	1664	TCP
2024-10-29T10:16:36.413853+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49740	66.63.187.113	1664	TCP
2024-10-29T10:16:42.516764+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49741	66.63.187.113	1664	TCP
2024-10-29T10:16:48.461018+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49742	66.63.187.113	1664	TCP
2024-10-29T10:16:54.460917+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49743	66.63.187.113	1664	TCP
2024-10-29T10:17:00.576565+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:01.527355+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:06.570186+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:07.570211+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49747	66.63.187.113	1664	TCP

ET MALWARE Possible NanoCore C2 60B

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:16:09.729406+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:17.256270+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-10-29T10:16:23.311064+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:29.373432+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49739	66.63.187.113	1664	TCP
2024-10-29T10:16:35.420574+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49740	66.63.187.113	1664	TCP
2024-10-29T10:16:41.437149+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49741	66.63.187.113	1664	TCP
2024-10-29T10:16:47.485030+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49742	66.63.187.113	1664	TCP
2024-10-29T10:16:53.482988+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49743	66.63.187.113	1664	TCP
2024-10-29T10:17:00.295826+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:06.545067+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:12.592280+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49748	66.63.187.113	1664	TCP
2024-10-29T10:17:17.591967+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49749	66.63.187.113	1664	TCP
2024-10-29T10:17:22.607610+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49750	66.63.187.113	1664	TCP
2024-10-29T10:17:27.607589+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49751	66.63.187.113	1664	TCP
2024-10-29T10:17:32.623493+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49752	66.63.187.113	1664	TCP
2024-10-29T10:17:37.623598+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49753	66.63.187.113	1664	TCP

ETPRO MALWARE NanoCore RAT CnC 19

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:16:10.554958+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:11.750584+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:18.257728+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-10-29T10:16:23.323327+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:24.335696+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:30.382597+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49739	66.63.187.113	1664	TCP
2024-10-29T10:16:36.413853+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49740	66.63.187.113	1664	TCP
2024-10-29T10:16:42.516764+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49741	66.63.187.113	1664	TCP
2024-10-29T10:16:48.461018+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49742	66.63.187.113	1664	TCP
2024-10-29T10:16:54.460917+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49743	66.63.187.113	1664	TCP
2024-10-29T10:17:00.576565+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:01.527355+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:06.570186+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:07.570211+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49747	66.63.187.113	1664	TCP

ETPRO MALWARE NanoCore RAT Keep-Alive Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:16:11.750584+0100	2816718	1	A Network Trojan was detected	192.168.2.5	49707	66.63.187.113	1664	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: S1qgnlqr1V.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Avira: detection malicious, Label: HEUR/AGEN.1305635

Found malware configuration

Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "a376f716-2f77-4943-a431-3a3bcb53", "Group": "CAT", "Domain1": "66.63.187.113", "Domain2": "66.63.187.113", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: S1qgnlqr1V.exe

ReversingLabs: Detection: 52%

Yara detected Nanocore RAT

Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: S1qgnlqr1V.exe

Joe Sandbox ML: detected

Source: S1qgnlqr1V.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: S1qgnlqr1V.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdbh~ source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: Accessibility.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: rzUp.pdb source: S1qgnlqr1V.exe, dnshost.exe.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb` source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.pdbMZ source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.pdb8 source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdbp source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Drawing.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC346.tmp.dmp.25.dr
Source:	Binary string: rzUp.pdbSHA256 source: S1qgnlqr1V.exe, dnshost.exe.4.dr
Source:	Binary string: System.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49739 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49741 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49741 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49739 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49742 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49742 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49743 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49743 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49740 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49740 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49744 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49747 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49744 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49747 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.5:49707 -> 66.63.187.113:1664

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 66.63.187.113

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 66.63.187.113:1664

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49739 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49741 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49742 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49740 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49743 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49744 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49747 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49749 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49748 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49753 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49750 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49751 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49752 -> 66.63.187.113:1664

Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113

Source: S1qgnlqr1V.exe, 00000000.00000002.2080996073.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 0000000A.00000002.2135969780.0000000003332000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 0000000B.00000002.2149555917.0000000002372000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000013.00000002.2223301091.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.25.dr	String found in binary or memory: http://upx.sf.net

Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_3e37a762-f

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2CA8 NtQueryInformationProcess,	0_2_077A2CA8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2CA0 NtQueryInformationProcess,	0_2_077A2CA0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642CA8 NtQueryInformationProcess,	10_2_07642CA8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642CA0 NtQueryInformationProcess,	10_2_07642CA0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42CA8 NtQueryInformationProcess,	19_2_06E42CA8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42CA0 NtQueryInformationProcess,	19_2_06E42CA0

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_00C0DA8C	0_2_00C0DA8C
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A0040	0_2_077A0040
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A57D8	0_2_077A57D8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A57D7	0_2_077A57D7
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A66F0	0_2_077A66F0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A66E0	0_2_077A66E0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2578	0_2_077A2578
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AD500	0_2_077AD500
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A001F	0_2_077A001F
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A20B8	0_2_077A20B8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2E28	0_2_077A2E28
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077ADD70	0_2_077ADD70
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A1C70	0_2_077A1C70
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AFA10	0_2_077AFA10
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A6979	0_2_077A6979
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AD938	0_2_077AD938
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AD928	0_2_077AD928
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A6988	0_2_077A6988
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_0CFE18A0	0_2_0CFE18A0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_0CFE3950	0_2_0CFE3950
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 4_2_0125D344	4_2_0125D344
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0183DA8C	10_2_0183DA8C
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_03211A39	10_2_03211A39
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_032139C0	10_2_032139C0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07640040	10_2_07640040
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076457CB	10_2_076457CB
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076457D8	10_2_076457D8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764D620	10_2_0764D620
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764D630	10_2_0764D630
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076466E0	10_2_076466E0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076466F0	10_2_076466F0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642578	10_2_07642578
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764D1E2	10_2_0764D1E2
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07640006	10_2_07640006
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076420B8	10_2_076420B8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642E28	10_2_07642E28
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764DEA0	10_2_0764DEA0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07641C70	10_2_07641C70
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764FB40	10_2_0764FB40
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764DA68	10_2_0764DA68
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07646979	10_2_07646979
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07646988	10_2_07646988
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_02161A48	11_2_02161A48
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_021639C0	11_2_021639C0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_02161A39	11_2_02161A39
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_0220DA8C	11_2_0220DA8C
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 14_2_0153D344	14_2_0153D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 16_2_0174D344	16_2_0174D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00EDDA8C	19_2_00EDDA8C
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E40040	19_2_06E40040
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E466E0	19_2_06E466E0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E466F0	19_2_06E466F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E457C9	19_2_06E457C9
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E457D8	19_2_06E457D8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42578	19_2_06E42578
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D500	19_2_06E4D500
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D0C8	19_2_06E4D0C8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E420B8	19_2_06E420B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4001F	19_2_06E4001F
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42E28	19_2_06E42E28
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E41C80	19_2_06E41C80
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4DD70	19_2_06E4DD70
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4FA10	19_2_06E4FA10
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E46988	19_2_06E46988
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E46979	19_2_06E46979
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D928	19_2_06E4D928
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D938	19_2_06E4D938
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_070F3670	19_2_070F3670
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_070F15C8	19_2_070F15C8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_070F15B8	19_2_070F15B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_016CD344	20_2_016CD344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_05791978	20_2_05791978
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057960C8	20_2_057960C8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057971A0	20_2_057971A0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057970E8	20_2_057970E8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057960B7	20_2_057960B7

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 1756

Source: S1qgnlqr1V.exe, 00000000.00000000.2068245397.00000000005A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerzUp.exe6 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2098014593.0000000009F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2079523228.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2095997755.00000000076B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3625707954.0000000005790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3622066100.0000000003C81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe	Binary or memory string: OriginalFilenamerzUp.exe6 vs S1qgnlqr1V.exe

Source: S1qgnlqr1V.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research

Source: S1qgnlqr1V.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dnshost.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/27@0/1

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File created: C:\Program Files (x86)\DNS Host

Jump to behavior

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S1qgnlqr1V.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5880
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a376f716-2f77-4943-a431-3a3bcb53b7c0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ew4cfgm.cmq.ps1

Jump to behavior

Source: S1qgnlqr1V.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: S1qgnlqr1V.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: S1qgnlqr1V.exe

ReversingLabs: Detection: 52%

Source: S1qgnlqr1V.exe

String found in binary or memory: $8ef8c825-4d3b-4232-add3-f59032e3b409

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File read: C:\Users\user\Desktop\S1qgnlqr1V.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe C:\Users\user\Desktop\S1qgnlqr1V.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 1756
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: S1qgnlqr1V.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: S1qgnlqr1V.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: S1qgnlqr1V.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.pdbh~ source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: Accessibility.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: rzUp.pdb source: S1qgnlqr1V.exe, dnshost.exe.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb` source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.pdbMZ source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.pdb8 source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdbp source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Drawing.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC346.tmp.dmp.25.dr
Source:	Binary string: rzUp.pdbSHA256 source: S1qgnlqr1V.exe, dnshost.exe.4.dr
Source:	Binary string: System.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: S1qgnlqr1V.exe, frmMain.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: S1qgnlqr1V.exe, frmMain.cs	.Net Code: InitializeComponent
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	.Net Code: sGfJNrfpRu System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	.Net Code: sGfJNrfpRu System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.3970b90.0.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	.Net Code: sGfJNrfpRu System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.5000000.4.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.4.dr, frmMain.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: dnshost.exe.4.dr, frmMain.cs	.Net Code: InitializeComponent

Source: S1qgnlqr1V.exe

Static PE information: 0xF36C4B0A [Mon Jun 1 01:29:46 2099 UTC]

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764B530 push es; retf		10_2_0764B580
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057990FD push FFFFFF8Bh; iretd		20_2_057990FF

Source: S1qgnlqr1V.exe	Static PE information: section name: .text entropy: 7.976488521718555
Source: dnshost.exe.4.dr	Static PE information: section name: .text entropy: 7.976488521718555

Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, tfsLtBnipv4hjQkwWK.cs	High entropy of concatenated method names: 'rCpLes1iVi', 'ncfLcpqIr3', 'fnyL85E5FL', 'xbqLST7r6k', 'WesLiAByY4', 'ppELXgZP6U', 'zbgLt9Kgfn', 'ShCL4EEJeL', 'JOPLqaGnws', 'wLtLEguynW'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	High entropy of concatenated method names: 'Tkccyt0iyW', 'i9Ec1t1cf3', 'm6VcspIcMn', 'IxMcIkD6Nl', 'r2Gc6Zw7U0', 'qcocnY10d3', 'xUQcvWHDBt', 'f8bcAORJVI', 'Bw7cklQ3G2', 'qAgcm4kIQ7'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, mbDLx2M4muMvkqtp0T.cs	High entropy of concatenated method names: 'HYXL0mEjjC', 'bnxLHflyPp', 'mxoLwwkJCD', 'S9NLRrmY9q', 'rPdLyA7Wtl', 'Ae7Ljp8CPx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, dk2PC9FUOX5R5DVll3.cs	High entropy of concatenated method names: 'uP5324d5fu', 'tkC3gaBMyJ', 'V0M30h5swr', 'S9f3HQ3Q8D', 'GEx3REHgC4', 'fXT3jRuU4F', 'XGc3QIqj3c', 'wQF3r8NtUi', 'XaN3YG6ixi', 'cSW3Cck6QZ'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, kud2GY2KVaXnwhbOGk.cs	High entropy of concatenated method names: 'ToString', 'RClWCJhpo8', 'b2LWHihRb9', 'hCYWwx4VIT', 'RF2WRxLHLm', 'CZrWjZKxRL', 'OMgWTIi8kG', 'c5NWQdsTff', 'kNDWrEMAIn', 'LDCWfmVwlc'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, ojWe7AI1WluDtWcsWk.cs	High entropy of concatenated method names: 'y87Sdc2fiH', 'ghESbXkGBV', 'mqH8wvI4hu', 'ILv8RJnoKm', 'KIa8jMgv00', 'e9M8TVHyLm', 'T5w8QJoLe3', 'huQ8rn5m8p', 'Sh78fruyZY', 'eJY8YIIStY'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, TcYLxOSwmrtPThybOn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'U5GpkZpFTv', 'DWHpmtHn4m', 'ANOpzhJr2V', 'cUJVarGa7h', 'xfbV5wojhB', 't6eVpmbls7', 'MOtVVh6Bl6', 'C8NDM8CKGYoGkYZN4Wn'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, knxd5wjEF9X4i9DapQ.cs	High entropy of concatenated method names: 'iufiOUb1RS', 'Gn2icWS0oR', 'FdGiSUR5LF', 'vvUiX1mt5W', 'GgyitMBbmk', 'eT2S6WFbIy', 'UTjSn1yRRu', 'A9nSvYRrg1', 'jUySANwj1T', 'uWYSkVeMki'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, ENMPCHbhAhKW3pvi0f.cs	High entropy of concatenated method names: 'Dispose', 'QCG5k49nTA', 'x6DpHopXwV', 'iixFFFOBEp', 'mxx5m3ZeBX', 'qIH5zVls6n', 'ProcessDialogKey', 'BqYpay67tM', 'ttyp5AUoI9', 'CnhppoktPa'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, jX2CVEl3uFgvd1jOmA.cs	High entropy of concatenated method names: 'cYa5XEQ60U', 'NAF5tbIVm5', 'U4M5q9cPc5', 'GlU5E2OaeY', 'uAN5hlo592', 'ScO5WCamHY', 'vr0p6Gd6ZvJWLmmjok', 'AIJCDycRUdISyNggdl', 'gHZ55me4wM', 'rMX5V5J7xA'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, BPKnnDffFa2YjtZVLG.cs	High entropy of concatenated method names: 'd1qXZ7grhY', 'QrsXlhOxh0', 'KIqXNq9Y5m', 'FwkXouP7ng', 'iXWXdYxFdY', 'QI3XKwsTE7', 'u5NXbCYiZh', 'HT8X2yYVeL', 'kHvXgGhVvO', 'DXSX74y1oL'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	High entropy of concatenated method names: 'T2KVOZbL50', 'cOeVevgKTn', 'bu2VcgFAAZ', 'KArV8LNvA9', 'A94VSUYdnA', 'DboViLsJMT', 'NP8VX3YPCF', 'nlkVtT8OuV', 'QSeV4TxUlm', 'kwxVq1gqeI'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, MeayWckdWGgmOsBXYw.cs	High entropy of concatenated method names: 'bdiCjHW3WsrBmhBZlek', 'bQVvJKWDjZTEMMMOpUa', 'ckfiL987dw', 'X92i95rYgo', 'D8jiuiZNYd', 'hvFrSlW70ThyvFkGnp3', 'DQbYptWUX8VKAUA1wnQ'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, bYNHCU7QUk9nHbKvNn.cs	High entropy of concatenated method names: 'LHlhYfoPem', 'RcmhB9qtei', 'UiyhyqoqXX', 'eGSh18eo5D', 'NaFhH5E4lP', 'uK4hwN83cG', 's2PhROQy7U', 'HBEhj2AA6s', 'hyyhTMWopk', 'iOThQmL8qC'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, kb5pD3tMfSNaKoT475.cs	High entropy of concatenated method names: 'Tx9NJNW8A', 'gC8oBi0HG', 'X2wKvF4gZ', 'KYVblNspQ', 'DsRgvPMY5', 'eH07JNxX2', 'nqWhq5rbrnJ2S3ay5M', 'SRNeZaRgdNtD7evR1g', 'VKHLIdNGu', 'bcWuJYITB'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, hFWeYe6lVJGfrJbyXJ.cs	High entropy of concatenated method names: 'rZEDAZqJcX', 'ybpDmfePvI', 'mfJLaBeNMv', 'X2hL5oF1Hk', 'WEEDCOVH0s', 'z0oDBGnSl3', 'rc8DUUr3i5', 'ccWDyWBuqR', 'MCGD114tVU', 'wXBDsn5XkA'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, QJBxB9idte0niQEnqXO.cs	High entropy of concatenated method names: 'H0W9Z7bkUx', 'qF79lkK1IA', 'JwB9N1xWGc', 'FcD9oa9HQW', 'wIF9dhph6H', 'K9u9K3rnas', 'jtA9bmBvP8', 'YbI928JX6I', 'UaN9gjPW5g', 'KBs97NAEI7'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, lZWXKMBwXHDXteLcFe.cs	High entropy of concatenated method names: 'pEaXeSckWZ', 'oWuX8ENa5m', 'k5bXi61yeX', 'QuAimb73ov', 'pSPizAD1ZU', 'pYRXas6oIi', 'bYjX5dLs7T', 'c4DXprBbfm', 'cYuXVRe93O', 'N6JXJS0itW'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, RGm6Xkv8Ze1P2qvYYe.cs	High entropy of concatenated method names: 'JL78oKuRjO', 'nLf8Kl8OFK', 'I4L82V34He', 'mg38giO1cP', 'u4a8h5IwAO', 'EL48WIXjHo', 'Qak8DecFU5', 'XHt8L7NiME', 'oNE89veURC', 'cZa8u9TmCq'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, l4TJewwOvHe5WqvLHB.cs	High entropy of concatenated method names: 'mSH95fR2FF', 'oGk9Vn1D94', 'hUO9JVdEVF', 'hDx9elJjQB', 'ISy9ciKeth', 'Tke9S73KDd', 'wUQ9ig5YVG', 'SkxLvOETIF', 'Dr0LAXi0LR', 'NrSLkJgaXD'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, tfsLtBnipv4hjQkwWK.cs	High entropy of concatenated method names: 'rCpLes1iVi', 'ncfLcpqIr3', 'fnyL85E5FL', 'xbqLST7r6k', 'WesLiAByY4', 'ppELXgZP6U', 'zbgLt9Kgfn', 'ShCL4EEJeL', 'JOPLqaGnws', 'wLtLEguynW'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	High entropy of concatenated method names: 'Tkccyt0iyW', 'i9Ec1t1cf3', 'm6VcspIcMn', 'IxMcIkD6Nl', 'r2Gc6Zw7U0', 'qcocnY10d3', 'xUQcvWHDBt', 'f8bcAORJVI', 'Bw7cklQ3G2', 'qAgcm4kIQ7'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, mbDLx2M4muMvkqtp0T.cs	High entropy of concatenated method names: 'HYXL0mEjjC', 'bnxLHflyPp', 'mxoLwwkJCD', 'S9NLRrmY9q', 'rPdLyA7Wtl', 'Ae7Ljp8CPx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, dk2PC9FUOX5R5DVll3.cs	High entropy of concatenated method names: 'uP5324d5fu', 'tkC3gaBMyJ', 'V0M30h5swr', 'S9f3HQ3Q8D', 'GEx3REHgC4', 'fXT3jRuU4F', 'XGc3QIqj3c', 'wQF3r8NtUi', 'XaN3YG6ixi', 'cSW3Cck6QZ'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, kud2GY2KVaXnwhbOGk.cs	High entropy of concatenated method names: 'ToString', 'RClWCJhpo8', 'b2LWHihRb9', 'hCYWwx4VIT', 'RF2WRxLHLm', 'CZrWjZKxRL', 'OMgWTIi8kG', 'c5NWQdsTff', 'kNDWrEMAIn', 'LDCWfmVwlc'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, ojWe7AI1WluDtWcsWk.cs	High entropy of concatenated method names: 'y87Sdc2fiH', 'ghESbXkGBV', 'mqH8wvI4hu', 'ILv8RJnoKm', 'KIa8jMgv00', 'e9M8TVHyLm', 'T5w8QJoLe3', 'huQ8rn5m8p', 'Sh78fruyZY', 'eJY8YIIStY'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, TcYLxOSwmrtPThybOn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'U5GpkZpFTv', 'DWHpmtHn4m', 'ANOpzhJr2V', 'cUJVarGa7h', 'xfbV5wojhB', 't6eVpmbls7', 'MOtVVh6Bl6', 'C8NDM8CKGYoGkYZN4Wn'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, knxd5wjEF9X4i9DapQ.cs	High entropy of concatenated method names: 'iufiOUb1RS', 'Gn2icWS0oR', 'FdGiSUR5LF', 'vvUiX1mt5W', 'GgyitMBbmk', 'eT2S6WFbIy', 'UTjSn1yRRu', 'A9nSvYRrg1', 'jUySANwj1T', 'uWYSkVeMki'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, ENMPCHbhAhKW3pvi0f.cs	High entropy of concatenated method names: 'Dispose', 'QCG5k49nTA', 'x6DpHopXwV', 'iixFFFOBEp', 'mxx5m3ZeBX', 'qIH5zVls6n', 'ProcessDialogKey', 'BqYpay67tM', 'ttyp5AUoI9', 'CnhppoktPa'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, jX2CVEl3uFgvd1jOmA.cs	High entropy of concatenated method names: 'cYa5XEQ60U', 'NAF5tbIVm5', 'U4M5q9cPc5', 'GlU5E2OaeY', 'uAN5hlo592', 'ScO5WCamHY', 'vr0p6Gd6ZvJWLmmjok', 'AIJCDycRUdISyNggdl', 'gHZ55me4wM', 'rMX5V5J7xA'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, BPKnnDffFa2YjtZVLG.cs	High entropy of concatenated method names: 'd1qXZ7grhY', 'QrsXlhOxh0', 'KIqXNq9Y5m', 'FwkXouP7ng', 'iXWXdYxFdY', 'QI3XKwsTE7', 'u5NXbCYiZh', 'HT8X2yYVeL', 'kHvXgGhVvO', 'DXSX74y1oL'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	High entropy of concatenated method names: 'T2KVOZbL50', 'cOeVevgKTn', 'bu2VcgFAAZ', 'KArV8LNvA9', 'A94VSUYdnA', 'DboViLsJMT', 'NP8VX3YPCF', 'nlkVtT8OuV', 'QSeV4TxUlm', 'kwxVq1gqeI'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, MeayWckdWGgmOsBXYw.cs	High entropy of concatenated method names: 'bdiCjHW3WsrBmhBZlek', 'bQVvJKWDjZTEMMMOpUa', 'ckfiL987dw', 'X92i95rYgo', 'D8jiuiZNYd', 'hvFrSlW70ThyvFkGnp3', 'DQbYptWUX8VKAUA1wnQ'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, bYNHCU7QUk9nHbKvNn.cs	High entropy of concatenated method names: 'LHlhYfoPem', 'RcmhB9qtei', 'UiyhyqoqXX', 'eGSh18eo5D', 'NaFhH5E4lP', 'uK4hwN83cG', 's2PhROQy7U', 'HBEhj2AA6s', 'hyyhTMWopk', 'iOThQmL8qC'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, kb5pD3tMfSNaKoT475.cs	High entropy of concatenated method names: 'Tx9NJNW8A', 'gC8oBi0HG', 'X2wKvF4gZ', 'KYVblNspQ', 'DsRgvPMY5', 'eH07JNxX2', 'nqWhq5rbrnJ2S3ay5M', 'SRNeZaRgdNtD7evR1g', 'VKHLIdNGu', 'bcWuJYITB'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, hFWeYe6lVJGfrJbyXJ.cs	High entropy of concatenated method names: 'rZEDAZqJcX', 'ybpDmfePvI', 'mfJLaBeNMv', 'X2hL5oF1Hk', 'WEEDCOVH0s', 'z0oDBGnSl3', 'rc8DUUr3i5', 'ccWDyWBuqR', 'MCGD114tVU', 'wXBDsn5XkA'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, QJBxB9idte0niQEnqXO.cs	High entropy of concatenated method names: 'H0W9Z7bkUx', 'qF79lkK1IA', 'JwB9N1xWGc', 'FcD9oa9HQW', 'wIF9dhph6H', 'K9u9K3rnas', 'jtA9bmBvP8', 'YbI928JX6I', 'UaN9gjPW5g', 'KBs97NAEI7'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, lZWXKMBwXHDXteLcFe.cs	High entropy of concatenated method names: 'pEaXeSckWZ', 'oWuX8ENa5m', 'k5bXi61yeX', 'QuAimb73ov', 'pSPizAD1ZU', 'pYRXas6oIi', 'bYjX5dLs7T', 'c4DXprBbfm', 'cYuXVRe93O', 'N6JXJS0itW'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, RGm6Xkv8Ze1P2qvYYe.cs	High entropy of concatenated method names: 'JL78oKuRjO', 'nLf8Kl8OFK', 'I4L82V34He', 'mg38giO1cP', 'u4a8h5IwAO', 'EL48WIXjHo', 'Qak8DecFU5', 'XHt8L7NiME', 'oNE89veURC', 'cZa8u9TmCq'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, l4TJewwOvHe5WqvLHB.cs	High entropy of concatenated method names: 'mSH95fR2FF', 'oGk9Vn1D94', 'hUO9JVdEVF', 'hDx9elJjQB', 'ISy9ciKeth', 'Tke9S73KDd', 'wUQ9ig5YVG', 'SkxLvOETIF', 'Dr0LAXi0LR', 'NrSLkJgaXD'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, tfsLtBnipv4hjQkwWK.cs	High entropy of concatenated method names: 'rCpLes1iVi', 'ncfLcpqIr3', 'fnyL85E5FL', 'xbqLST7r6k', 'WesLiAByY4', 'ppELXgZP6U', 'zbgLt9Kgfn', 'ShCL4EEJeL', 'JOPLqaGnws', 'wLtLEguynW'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	High entropy of concatenated method names: 'Tkccyt0iyW', 'i9Ec1t1cf3', 'm6VcspIcMn', 'IxMcIkD6Nl', 'r2Gc6Zw7U0', 'qcocnY10d3', 'xUQcvWHDBt', 'f8bcAORJVI', 'Bw7cklQ3G2', 'qAgcm4kIQ7'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, mbDLx2M4muMvkqtp0T.cs	High entropy of concatenated method names: 'HYXL0mEjjC', 'bnxLHflyPp', 'mxoLwwkJCD', 'S9NLRrmY9q', 'rPdLyA7Wtl', 'Ae7Ljp8CPx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, dk2PC9FUOX5R5DVll3.cs	High entropy of concatenated method names: 'uP5324d5fu', 'tkC3gaBMyJ', 'V0M30h5swr', 'S9f3HQ3Q8D', 'GEx3REHgC4', 'fXT3jRuU4F', 'XGc3QIqj3c', 'wQF3r8NtUi', 'XaN3YG6ixi', 'cSW3Cck6QZ'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, kud2GY2KVaXnwhbOGk.cs	High entropy of concatenated method names: 'ToString', 'RClWCJhpo8', 'b2LWHihRb9', 'hCYWwx4VIT', 'RF2WRxLHLm', 'CZrWjZKxRL', 'OMgWTIi8kG', 'c5NWQdsTff', 'kNDWrEMAIn', 'LDCWfmVwlc'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, ojWe7AI1WluDtWcsWk.cs	High entropy of concatenated method names: 'y87Sdc2fiH', 'ghESbXkGBV', 'mqH8wvI4hu', 'ILv8RJnoKm', 'KIa8jMgv00', 'e9M8TVHyLm', 'T5w8QJoLe3', 'huQ8rn5m8p', 'Sh78fruyZY', 'eJY8YIIStY'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, TcYLxOSwmrtPThybOn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'U5GpkZpFTv', 'DWHpmtHn4m', 'ANOpzhJr2V', 'cUJVarGa7h', 'xfbV5wojhB', 't6eVpmbls7', 'MOtVVh6Bl6', 'C8NDM8CKGYoGkYZN4Wn'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, knxd5wjEF9X4i9DapQ.cs	High entropy of concatenated method names: 'iufiOUb1RS', 'Gn2icWS0oR', 'FdGiSUR5LF', 'vvUiX1mt5W', 'GgyitMBbmk', 'eT2S6WFbIy', 'UTjSn1yRRu', 'A9nSvYRrg1', 'jUySANwj1T', 'uWYSkVeMki'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, ENMPCHbhAhKW3pvi0f.cs	High entropy of concatenated method names: 'Dispose', 'QCG5k49nTA', 'x6DpHopXwV', 'iixFFFOBEp', 'mxx5m3ZeBX', 'qIH5zVls6n', 'ProcessDialogKey', 'BqYpay67tM', 'ttyp5AUoI9', 'CnhppoktPa'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, jX2CVEl3uFgvd1jOmA.cs	High entropy of concatenated method names: 'cYa5XEQ60U', 'NAF5tbIVm5', 'U4M5q9cPc5', 'GlU5E2OaeY', 'uAN5hlo592', 'ScO5WCamHY', 'vr0p6Gd6ZvJWLmmjok', 'AIJCDycRUdISyNggdl', 'gHZ55me4wM', 'rMX5V5J7xA'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, BPKnnDffFa2YjtZVLG.cs	High entropy of concatenated method names: 'd1qXZ7grhY', 'QrsXlhOxh0', 'KIqXNq9Y5m', 'FwkXouP7ng', 'iXWXdYxFdY', 'QI3XKwsTE7', 'u5NXbCYiZh', 'HT8X2yYVeL', 'kHvXgGhVvO', 'DXSX74y1oL'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	High entropy of concatenated method names: 'T2KVOZbL50', 'cOeVevgKTn', 'bu2VcgFAAZ', 'KArV8LNvA9', 'A94VSUYdnA', 'DboViLsJMT', 'NP8VX3YPCF', 'nlkVtT8OuV', 'QSeV4TxUlm', 'kwxVq1gqeI'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, MeayWckdWGgmOsBXYw.cs	High entropy of concatenated method names: 'bdiCjHW3WsrBmhBZlek', 'bQVvJKWDjZTEMMMOpUa', 'ckfiL987dw', 'X92i95rYgo', 'D8jiuiZNYd', 'hvFrSlW70ThyvFkGnp3', 'DQbYptWUX8VKAUA1wnQ'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, bYNHCU7QUk9nHbKvNn.cs	High entropy of concatenated method names: 'LHlhYfoPem', 'RcmhB9qtei', 'UiyhyqoqXX', 'eGSh18eo5D', 'NaFhH5E4lP', 'uK4hwN83cG', 's2PhROQy7U', 'HBEhj2AA6s', 'hyyhTMWopk', 'iOThQmL8qC'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, kb5pD3tMfSNaKoT475.cs	High entropy of concatenated method names: 'Tx9NJNW8A', 'gC8oBi0HG', 'X2wKvF4gZ', 'KYVblNspQ', 'DsRgvPMY5', 'eH07JNxX2', 'nqWhq5rbrnJ2S3ay5M', 'SRNeZaRgdNtD7evR1g', 'VKHLIdNGu', 'bcWuJYITB'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, hFWeYe6lVJGfrJbyXJ.cs	High entropy of concatenated method names: 'rZEDAZqJcX', 'ybpDmfePvI', 'mfJLaBeNMv', 'X2hL5oF1Hk', 'WEEDCOVH0s', 'z0oDBGnSl3', 'rc8DUUr3i5', 'ccWDyWBuqR', 'MCGD114tVU', 'wXBDsn5XkA'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, QJBxB9idte0niQEnqXO.cs	High entropy of concatenated method names: 'H0W9Z7bkUx', 'qF79lkK1IA', 'JwB9N1xWGc', 'FcD9oa9HQW', 'wIF9dhph6H', 'K9u9K3rnas', 'jtA9bmBvP8', 'YbI928JX6I', 'UaN9gjPW5g', 'KBs97NAEI7'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, lZWXKMBwXHDXteLcFe.cs	High entropy of concatenated method names: 'pEaXeSckWZ', 'oWuX8ENa5m', 'k5bXi61yeX', 'QuAimb73ov', 'pSPizAD1ZU', 'pYRXas6oIi', 'bYjX5dLs7T', 'c4DXprBbfm', 'cYuXVRe93O', 'N6JXJS0itW'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, RGm6Xkv8Ze1P2qvYYe.cs	High entropy of concatenated method names: 'JL78oKuRjO', 'nLf8Kl8OFK', 'I4L82V34He', 'mg38giO1cP', 'u4a8h5IwAO', 'EL48WIXjHo', 'Qak8DecFU5', 'XHt8L7NiME', 'oNE89veURC', 'cZa8u9TmCq'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, l4TJewwOvHe5WqvLHB.cs	High entropy of concatenated method names: 'mSH95fR2FF', 'oGk9Vn1D94', 'hUO9JVdEVF', 'hDx9elJjQB', 'ISy9ciKeth', 'Tke9S73KDd', 'wUQ9ig5YVG', 'SkxLvOETIF', 'Dr0LAXi0LR', 'NrSLkJgaXD'

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File created: C:\Program Files (x86)\DNS Host\dnshost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp"

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File opened: C:\Users\user\Desktop\S1qgnlqr1V.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 78F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 6AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: AFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: BFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 17F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 78F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 8A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 9A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: A450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: B450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 6BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 7BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 7D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: A660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 1530000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 3220000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1720000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 52A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: ED0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2870000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 4870000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 7170000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8170000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8310000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9310000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9AC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: AAC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: BAC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 5140000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4920	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1234	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Window / User API: threadDelayed 6372	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Window / User API: threadDelayed 3187	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Window / User API: foregroundWindowGot 1197	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4829
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6022

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 7380	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep count: 4829 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep count: 223 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep count: 6022 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.25.dr	Binary or memory string: VMware
Source: S1qgnlqr1V.exe, 00000000.00000002.2079523228.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\X
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.25.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.25.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.25.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dnshost.exe, 0000000B.00000002.2135782497.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.25.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.25.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: S1qgnlqr1V.exe, 00000004.00000002.3627593485.0000000006740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.25.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: dnshost.exe, 0000000B.00000002.2135782497.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.25.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.25.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.25.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.25.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.25.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.25.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.25.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.25.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory written: C:\Users\user\Desktop\S1qgnlqr1V.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory written: C:\Users\user\Desktop\S1qgnlqr1V.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"

Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLJ
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0.
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqdc
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqlh
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqTP
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqtq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.000000000313F000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq<
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.000000000311F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqlW
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003173000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4p
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqXA
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqU
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqT
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqX
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`w
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL[
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.000000000311F000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003181000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.00000000031A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqTd
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,=
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqH
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqpw
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$,
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL
Source: S1qgnlqr1V.exe, 00000004.00000002.3628646108.000000000703D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager\|
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd#
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqt
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003173000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqs
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqx
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4k
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp'
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|.
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp%
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4c
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@j
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd
Source: S1qgnlqr1V.exe, 00000004.00000002.3623292397.000000000517E000.00000004.00000010.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3628182909.0000000006DFD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqh
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjql
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqTx
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqD#
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqP0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd7
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqpE
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlBjq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,q
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\!

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Users\user\Desktop\S1qgnlqr1V.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Users\user\Desktop\S1qgnlqr1V.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Users\user\Desktop\S1qgnlqr1V.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Users\user\Desktop\S1qgnlqr1V.exe VolumeInformation
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.25.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: S1qgnlqr1V.exe, 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: S1qgnlqr1V.exe, 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
S1qgnlqr1V.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeLogger
S1qgnlqr1V.exe	100%	Avira	HEUR/AGEN.1305635
S1qgnlqr1V.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\DNS Host\dnshost.exe	100%	Avira	HEUR/AGEN.1305635
C:\Program Files (x86)\DNS Host\dnshost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DNS Host\dnshost.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeLogger

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
66.63.187.113	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.25.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	S1qgnlqr1V.exe, 00000000.00000002.2080996073.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 0000000A.00000002.2135969780.0000000003332000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 0000000B.00000002.2149555917.0000000002372000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000013.00000002.2223301091.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.63.187.113	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544356
Start date and time:	2024-10-29 10:15:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	S1qgnlqr1V.exe renamed because original name is a hash value
Original Sample Name:	10b98a933809918bfcdd9c1ea91edee6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/27@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 179 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: S1qgnlqr1V.exe

Simulations

Behavior and APIs

Time	Type	Description
05:16:05	API Interceptor	164640x Sleep call for process: S1qgnlqr1V.exe modified
05:16:07	API Interceptor	85x Sleep call for process: powershell.exe modified
05:16:08	API Interceptor	2x Sleep call for process: dnshost.exe modified
05:18:39	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:16:08	Task Scheduler	Run new task: DNS Host path: "C:\Users\user\Desktop\S1qgnlqr1V.exe" s>$(Arg0)
10:16:08	Task Scheduler	Run new task: DNS Host Task path: "C:\Program Files (x86)\DNS Host\dnshost.exe" s>$(Arg0)
10:16:10	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DNS Host C:\Program Files (x86)\DNS Host\dnshost.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	Quotation_PMV-1060_AVR1_PMV_1513_AVR1_PMV_1514_AVR1_PMV_1515.exe	Get hash	malicious	GuLoader, StormKitty	Browse	204.44.127.85
	splarm5.elf	Get hash	malicious	Unknown	Browse	190.9.40.179
	Master.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	141.98.197.31
	setup_office.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	141.98.197.31
	111.out.elf	Get hash	malicious	Unknown	Browse	141.98.197.31
	m68k.elf	Get hash	malicious	Mirai	Browse	45.199.228.213
	iQPxJrxxaj.exe	Get hash	malicious	PikaBot	Browse	104.129.55.104
	iQPxJrxxaj.exe	Get hash	malicious	PikaBot	Browse	104.129.55.104
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	173.205.89.188
	Play_VM.Now.matt.sibilo_Audio.wav...v.html	Get hash	malicious	HtmlDropper	Browse	185.174.100.20

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	651264
Entropy (8bit):	7.969387672502693
Encrypted:	false
SSDEEP:	12288:sMfzumQeZXgZ2KsYEPpU0TET/BSqxTsJXVl+N84xXF7NPTZW:ssnlwQgEPpUOEdpdSVlD4xVJPTc
MD5:	10B98A933809918BFCDD9C1EA91EDEE6
SHA1:	4E5F1555F8030AAB3E98FE7EF31C8083BA9E32F2
SHA-256:	70494A9ED1D509C12C48AA4DC68F06F73BEE77A18A625B576DD515E9F4E0D6C3
SHA-512:	D5B735529DCC61CC92D2CA93A1B477F9E08901E903847AD68D9D63547C46F5D16F29DEB3E329A981068BE866167DF4EEECF2F14F30AE04501B327C6AFF6B2DAC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kl...............0.............&.... ... ....@.. .......................`............@.....................................O.... .. ....................@..........p............................................ ............... ..H............text...,.... ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B........................H.......`R...8......$........`.............................................}......}......}.....(.......(........0...........sC.......{....o....o:......{....o....o<......{....o....o>......{....o....o@......{....o....oB..........o....r...p.o....o....(....r...p..0(....&.....+.............^e......&..(.....*...0.............{....o....rC..p(......,%.rE..pr...p..0(....&.{....o....&.....{....o....rC..p(......,%.r...pr...p..0(....&.{....o....&.K....{....o....(1........,%.r...pr/..p

C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_S1qgnlqr1V.exe_154b5bc2c27c2c66339f0b82a5790485a67d77_77b60c57_56b8f93c-6740-4b23-892a-7c4176431c0b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1193519394028717
Encrypted:	false
SSDEEP:	192:wQDYXuFD0MLLHzKVa60+mVHmzuiFFZ24IO8/:RYeFwMHHuVaTDmzuiFFY4IO8/
MD5:	8C62ECBFF088EE9AAF5792C25104B673
SHA1:	D95EE7520DB33A8AE1AB309671181F94AEF8466F
SHA-256:	92847965BB3F9879D65DF4895796CE2EF81611B7E44D6A2BEB0352214FA5B176
SHA-512:	D3B58A3CEEB87847518B84891ADBA71BCA366E2AC54C73E2FFB84CD4D3266A399712B45ED16DD86E863474745246A7F051891B3FA741D331FF0761382AD473A6
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.6.7.0.5.9.8.6.6.4.1.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.6.7.1.0.1.6.3.2.0.2.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.b.8.f.9.3.c.-.6.7.4.0.-.4.b.2.3.-.8.9.2.a.-.7.c.4.1.7.6.4.3.1.c.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.6.1.7.3.6.f.-.3.4.e.b.-.4.6.8.a.-.9.2.7.4.-.c.3.f.7.3.2.4.d.c.0.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.1.q.g.n.l.q.r.1.V...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.r.z.U.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.f.8.-.0.0.0.1.-.0.0.1.4.-.a.9.2.2.-.0.6.2.f.e.3.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.7.f.4.a.6.d.4.a.c.d.d.a.4.7.7.a.6.b.0.b.b.6.5.f.d.6.8.9.4.9.6.0.0.0.0.0.0.0.0.!.0.0.0.0.4.e.5.f.1.5.5.5.f.8.0.3.0.a.a.b.3.e.9.8.f.e.7.e.f.3.1.c.8.0.8.3.b.a.9.e.3.2.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6553.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6318
Entropy (8bit):	3.719704209352784
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+f6HFYaJKMeKppD989b35sfodm:R6lXJG6lYaJKUW3Sfv
MD5:	52F6DECDC1FE46A973EECB3927BA0ED8
SHA1:	1D8FDD7AD42998B7E755BE9B84A7A6ACF93AE5D8
SHA-256:	316525D8926191E8DEABD34E19C35828BF897C178DFEBAC6599E96D5C2A0C095
SHA-512:	CEFE2520264AF8C37C1EA59C44C2E2E126F920D68516F401C93EAF21FFDDC03F2A8AEC8BC079AC474679D281857C4C96CA6975699C9573BE786213D79E31BC30
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6583.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4644
Entropy (8bit):	4.451976543402786
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+iJg77aI9fsWpW8VYlYm8M4J19HNVFk+q8q9H3jSRI44VJAd:uIjf+wI7JF7VlJ7HiZHWRInVJAd
MD5:	D1642E09B0AE0C35BF42330C2C184D98
SHA1:	561061E25FC01AF19132785D0545C94FCCE8482C
SHA-256:	B6A79EBCA3914DBFB62A069A59473CEC7C103AC44C1453C0F4DFF46C1F481D28
SHA-512:	9C270952C21FC322B4B6F07487875F54DB73472DB26AE0EBEF50D026F4447B8FA6F36E9333E4841F217ACE9D8ACF5626AE98A216AD5F04920766AF559440E6D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="564501" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC346.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Oct 29 09:18:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1395189
Entropy (8bit):	4.794834619369641
Encrypted:	false
SSDEEP:	12288:E/cbWJP/VQfWvSQGb9JTqKliYjsUXJSHav9BdTe:E/thK+vScgBZgavLd
MD5:	BBD0AB186598C8AB6D557B41A35EC1CA
SHA1:	E8676202CE3ACC67A0FF650137B1E0C10FC9411D
SHA-256:	3C19CBBD14996664CF7978966F238823A1F06C3C162E2477DEE38F7CF0B1E816
SHA-512:	E67F96D7D72B64BBCBB8EFBB85492D82B8D62B4F6C45C96CAB5A24230C1700B6893610699E9408FF32E2DFEF6554FE30487AF14E73482B57FF9068722B2C1E00
Malicious:	false
Preview:	MDMP..a..... .......]. g............4...............H.......$...$&......./..tc..........`.......8...........T...........XD..............H&..........4(..............................................................................eJ.......(......GenuineIntel............T............ g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S1qgnlqr1V.exe.log

Download File

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dnshost.exe.log

Download File

Process:	C:\Program Files (x86)\DNS Host\dnshost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulBkXj:NllUS
MD5:	453075887941F85A80949CDBA8D49A8B
SHA1:	7B31CA484A80AA32BCC06FC3511547BCB1413826
SHA-256:	84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
SHA-512:	02E95B30978860CB5C83841B68C2E10EE56C9D8021DF34876CD33FD7F0C8B001C288F71FBBFF977DDF83031BD6CD86AC85688A6EFB6300D0221AA4A22ABE7659
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3p3ul2mh.cvw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ew4cfgm.cmq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4o20lfje.dzr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfbfqfap.5mo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guctlh1m.ked.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcttykkr.kgg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxynaech.udj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyaytfz0.uww.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omybhyip.jhh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wj5e1saj.hif.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0xjcvet.dmh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1kg522k.22f.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5791.tmp

Download File

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.105927822674634
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Psxtn:cbk4oL600QydbQxIYODOLedq3Ssj
MD5:	ED4382E09E893D70919BF29B2E64629A
SHA1:	2EC538E1FE21292DBCF7AB2A8975C9BE0E1897C1
SHA-256:	CF997833A757EE0A2AFA321DDC21392EC18C800FCF723AC629268DD4CFEC9517
SHA-512:	6BDB80161107C2E3AC3E671F5C65D2143EA837137BE340407BD9C54B65DE8679E0C8C318226A572500372233EDD112C5AD3277B9DFD7B0B7A183368F8CFB27F5
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp

Download File

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1306
Entropy (8bit):	5.104451641222393
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R9lxtn:cbk4oL600QydbQxIYODOLedq3S9lj
MD5:	CFD32F0E8DBE9B358E7445116E8FC086
SHA1:	00D89923A223372FAC166743853397ABD974825B
SHA-256:	3662F5D5D156CFA337FF07F335FC9D34B46E66DB3A7A2CF69C820DD4BA273ADD
SHA-512:	A190E08EDA457DF3FA3C25AA4C1211DDB8377B2C04BB3B16110F5C0FF1E440A709A1FB6543357C8625C323A1BF4E52ECF74115C1382A6EC10BBA657F42DF5014
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat

Download File

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	data
Category:	modified
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Download File

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	FBCB48D4D35E47AB9407449CC913E392
SHA1:	B739A2CE14E01D7849823CC21D3B4C603D69C229
SHA-256:	024DD6102C51F17B53C3FA35040C626B84DDBDD1988A141A2D33255D2A3514A2
SHA-512:	F498261F9141C6F3195D4A2B3FC2F62025C63A1E80F2E77A72EE290F9B3EC9B9574EB3CDCDD395BD9F61274A439931BF339DFE44A0C203C4B079F581DD5359F4
Malicious:	true
Preview:	...Q...H

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\task.dat

Download File

Process:	C:\Users\user\Desktop\S1qgnlqr1V.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.300559092390956
Encrypted:	false
SSDEEP:	3:oNUWJRW2QLcUzLN:oNNJA2Q7
MD5:	CAD1EBC97007DB489530F47D2F5F946F
SHA1:	4B6C2002C3360118808243A23FAB180133B05BB7
SHA-256:	DD4D8F98C1265DD046EFE86FB7B5D400A76BCF022D12C915DFFC311F4BE84B27
SHA-512:	5006CC92DCE1A17B51AF1F629F718AD48F0792D302AC21BA1935A1CFF9B209F457753A8BDE0625B46138E4EF1866153C8FBF64F47764145458DAC58A446684B2
Malicious:	false
Preview:	C:\Users\user\Desktop\S1qgnlqr1V.exe

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4217844620857045
Encrypted:	false
SSDEEP:	6144:1Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNV0uhiTw:8vloTMW+EZMM6DFy703w
MD5:	19741B3E1774CC2E86969B3089647D04
SHA1:	9271B11DEE1DD32F0C697B55D9385AC7C4F42393
SHA-256:	5ED8F031EC318A228F7A8063DB40F16F6BE3FB30EC9DEEB947FCACFE79A10FE3
SHA-512:	173D1CACD68C91C6201E2BE646331BD3EF0BBEF6B0B9EA6557F6065D3E26B6DA4ED02E815EC5420B0C22E5ED829A77931449BB4D9D10168394D86F30379A3F1F
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...f.).................................................................................................................................................................................................................................................................................................................................................R........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.969387672502693
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	S1qgnlqr1V.exe
File size:	651'264 bytes
MD5:	10b98a933809918bfcdd9c1ea91edee6
SHA1:	4e5f1555f8030aab3e98fe7ef31c8083ba9e32f2
SHA256:	70494a9ed1d509c12c48aa4dc68f06f73bee77a18a625b576dd515e9f4e0d6c3
SHA512:	d5b735529dcc61cc92d2ca93a1b477f9e08901e903847ad68d9d63547c46f5d16f29deb3e329a981068be866167df4eeecf2f14f30ae04501b327c6aff6b2dac
SSDEEP:	12288:sMfzumQeZXgZ2KsYEPpU0TET/BSqxTsJXVl+N84xXF7NPTZW:ssnlwQgEPpUOEdpdSVlD4xVJPTc
TLSH:	38D4230133485F3BE1A99BB33C614AC19BF56A336962F118DDC470F56A17B8887C5E2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kl...............0.............&.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a0326
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF36C4B0A [Mon Jun 1 01:29:46 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa02d2	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x620	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9ebcc	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9e32c	0x9e400	c7871a557004d8b158fd28d1f068f40d	False	0.9737732030015798	data	7.976488521718555	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x620	0x800	d4cf237b89d0d99f1a92282752ad407c	False	0.3369140625	data	3.4595734708494343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	024575860d97be1eabd008d50c4dada3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa2090	0x390	data			0.42653508771929827
RT_MANIFEST	0xa2430	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T10:16:09.729406+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:10.554958+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:10.554958+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:11.750584+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:11.750584+0100	2816718	ETPRO MALWARE NanoCore RAT Keep-Alive Beacon	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:11.750584+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-10-29T10:16:17.256270+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-10-29T10:16:18.257728+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-10-29T10:16:18.257728+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-10-29T10:16:23.311064+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:23.323327+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:23.323327+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:24.335696+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:24.335696+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-10-29T10:16:29.373432+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49739	66.63.187.113	1664	TCP
2024-10-29T10:16:30.382597+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49739	66.63.187.113	1664	TCP
2024-10-29T10:16:30.382597+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49739	66.63.187.113	1664	TCP
2024-10-29T10:16:35.420574+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49740	66.63.187.113	1664	TCP
2024-10-29T10:16:36.413853+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49740	66.63.187.113	1664	TCP
2024-10-29T10:16:36.413853+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49740	66.63.187.113	1664	TCP
2024-10-29T10:16:41.437149+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49741	66.63.187.113	1664	TCP
2024-10-29T10:16:42.516764+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49741	66.63.187.113	1664	TCP
2024-10-29T10:16:42.516764+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49741	66.63.187.113	1664	TCP
2024-10-29T10:16:47.485030+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49742	66.63.187.113	1664	TCP
2024-10-29T10:16:48.461018+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49742	66.63.187.113	1664	TCP
2024-10-29T10:16:48.461018+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49742	66.63.187.113	1664	TCP
2024-10-29T10:16:53.482988+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49743	66.63.187.113	1664	TCP
2024-10-29T10:16:54.460917+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49743	66.63.187.113	1664	TCP
2024-10-29T10:16:54.460917+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49743	66.63.187.113	1664	TCP
2024-10-29T10:17:00.295826+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:00.576565+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:00.576565+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:01.527355+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:01.527355+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49744	66.63.187.113	1664	TCP
2024-10-29T10:17:06.545067+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:06.570186+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:06.570186+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:07.570211+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:07.570211+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49747	66.63.187.113	1664	TCP
2024-10-29T10:17:12.592280+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49748	66.63.187.113	1664	TCP
2024-10-29T10:17:17.591967+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49749	66.63.187.113	1664	TCP
2024-10-29T10:17:22.607610+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49750	66.63.187.113	1664	TCP
2024-10-29T10:17:27.607589+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49751	66.63.187.113	1664	TCP
2024-10-29T10:17:32.623493+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49752	66.63.187.113	1664	TCP
2024-10-29T10:17:37.623598+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49753	66.63.187.113	1664	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:16:09.709949970 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:09.715471029 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:09.715559959 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:09.729406118 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:09.734796047 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:10.554958105 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:10.560488939 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:10.677674055 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:10.680136919 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:10.685439110 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:10.981417894 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.028723001 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.034921885 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.040427923 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.396317005 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.396385908 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.396397114 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.396408081 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.396419048 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.396514893 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.396514893 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.576159954 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576204062 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576221943 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576240063 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576272964 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.576379061 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576394081 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576409101 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.576469898 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.576642036 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576659918 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576675892 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.576703072 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.577110052 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.577126980 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.577142954 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.577172995 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.577189922 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.750583887 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.756139994 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756177902 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756196022 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756211042 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756213903 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.756227970 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756244898 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756247044 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.756261110 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756278038 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756300926 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.756314993 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.756845951 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756944895 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756968021 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756984949 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.756999969 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.757015944 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.757025957 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.757066965 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.871665955 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.871915102 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.871936083 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.871958971 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.871964931 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.871999025 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.937315941 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.937360048 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.937390089 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.937406063 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.937421083 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.937438965 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.937443972 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.937457085 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.937479973 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.937494040 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.938124895 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.938141108 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.938157082 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.938170910 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.938222885 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.938699961 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.938774109 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.938817024 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:11.987332106 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.987358093 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.987380028 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:11.987410069 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.054862976 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.054903030 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.054923058 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.054932117 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.054959059 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.054963112 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.054986000 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.055032015 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.055043936 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.055063963 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.055095911 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.055116892 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.094172001 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.094229937 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.094230890 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.094254017 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.094300032 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.117095947 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.117120028 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.117141008 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.117163897 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.168555975 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168582916 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168610096 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.168652058 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168693066 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168700933 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.168714046 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168744087 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168764114 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168771029 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.168795109 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.168808937 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.209513903 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.209573030 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.209657907 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.209672928 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.209716082 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.233218908 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.233234882 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.233247995 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.233303070 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.284312963 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.284328938 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.284342051 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.284365892 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.284394979 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.284728050 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.284746885 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.284801960 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.285656929 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.285725117 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.285787106 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.285790920 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.296525002 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.296571970 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.296643019 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.324939966 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.324959040 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.324973106 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.325068951 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.325129986 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.349111080 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.349149942 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.349163055 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.349200964 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.399595022 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.399636030 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.399655104 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.399667978 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.399681091 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.399703026 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.399755001 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.400734901 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.400791883 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.400804043 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.400840044 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.412106991 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.412121058 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.412132978 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.412157059 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.412188053 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.440902948 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.440927029 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.440939903 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.440968990 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.464613914 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.464632034 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.464648962 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.464662075 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.464698076 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.515101910 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.515125036 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.515137911 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.515150070 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.515166998 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.515197992 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.515197992 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.516153097 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.516177893 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.516190052 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.516227961 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.516227961 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.528275013 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.528291941 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.528304100 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.528369904 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.556025982 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.556041956 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.556054115 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.556078911 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.556101084 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.579922915 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.579936028 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.579994917 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.580058098 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.580080032 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.580121040 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.630597115 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.630628109 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.630639076 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.630688906 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.630702019 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.630709887 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.630747080 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.630748034 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.630760908 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.630790949 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.631614923 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.631634951 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.631647110 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.631674051 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.631695986 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.643872976 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.643888950 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.643902063 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.643953085 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.671704054 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.671749115 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.671761990 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.671809912 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.671809912 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.695460081 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.695478916 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.695596933 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.737946987 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.738022089 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.738219023 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.746273041 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746299982 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746314049 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746326923 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746344090 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746927977 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746948957 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746977091 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.746979952 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.746978045 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.747200966 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.747237921 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.747251034 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.747281075 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.747281075 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.759555101 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.759574890 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.759589911 CET	1664	49707	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:12.759712934 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.759712934 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:12.767940044 CET	49707	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:17.250309944 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:17.255800962 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:17.255980968 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:17.256269932 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:17.261581898 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.239722967 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.242881060 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:18.248677969 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.257728100 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:18.263403893 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.549163103 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.554172039 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:18.559808016 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917004108 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917020082 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917038918 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917051077 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917063951 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917073011 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:18.917078972 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917090893 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:18.917109966 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:18.917117119 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:18.960582972 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.091919899 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.091941118 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.091958046 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.091980934 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.091994047 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.092001915 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.092052937 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.092252970 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.092327118 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.092340946 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.092350006 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.092355967 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.092370987 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.092374086 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.092437983 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.267982960 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268007040 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268019915 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268032074 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268047094 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268074989 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.268327951 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268340111 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268352985 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268373013 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268378973 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.268388033 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.268407106 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.268433094 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.269525051 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.269540071 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.269553900 CET	1664	49710	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:19.269606113 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:19.296998024 CET	49710	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:23.304893970 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:23.310672045 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:23.310746908 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:23.311064005 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:23.316457987 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:23.323327065 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:23.328747034 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.248847961 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.249041080 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:24.254487038 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.335695982 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:24.342238903 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.539918900 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.543488979 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:24.549123049 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.904907942 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.904925108 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.904937029 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.905039072 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:24.905181885 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.905194044 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.905204058 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:24.905271053 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:24.905271053 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.249233007 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249245882 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249264002 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249274015 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249284983 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249298096 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249304056 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.249316931 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249336958 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249346972 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.249346972 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.249365091 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249376059 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249397993 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.249475002 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.249811888 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.249886036 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.250001907 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250017881 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250085115 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250097036 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250112057 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250117064 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.250125885 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250139952 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250152111 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.250185966 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.250185966 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.250252008 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.258317947 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.258347034 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.258358002 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.258364916 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.258398056 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.258512020 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.352742910 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.357111931 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.357141018 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.357152939 CET	1664	49713	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:25.357162952 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.357198000 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:25.357198000 CET	49713	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:29.367278099 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:29.372946024 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:29.373087883 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:29.373431921 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:29.378892899 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.336602926 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.336894035 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:30.342395067 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.382596970 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:30.388060093 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.634182930 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.637397051 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:30.642838001 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.978523016 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.978555918 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.978569031 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.978580952 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.978595018 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:30.978610039 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:30.978658915 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.144871950 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.144913912 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.144927025 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.144938946 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.144952059 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.145092010 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.145109892 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.145214081 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.145247936 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.145277023 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.145289898 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.145303011 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.145380974 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.310642958 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.310657024 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.310731888 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.310791016 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.310811043 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.310822964 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.310834885 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.310846090 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.310872078 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.310899973 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.311650038 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.311661959 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.311672926 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.311686993 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.311701059 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.311726093 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.312305927 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.312326908 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.312339067 CET	1664	49739	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:31.312367916 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.314286947 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:31.398190022 CET	49739	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:35.414406061 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:35.420186043 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:35.420384884 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:35.420573950 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:35.433106899 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:36.402728081 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:36.402950048 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:36.408539057 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:36.413852930 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:36.419389963 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:36.707387924 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:36.711081982 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:36.716567993 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.070153952 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.070168018 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.070178986 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.070184946 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.070197105 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.070255041 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.070271969 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.070302963 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.245217085 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.245321035 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.245332003 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.245373964 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.245387077 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.245398998 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.245434046 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.246313095 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.246362925 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.246457100 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.246819973 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.246850014 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.246861935 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.246867895 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.246901989 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.249730110 CET	1664	49740	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:37.304320097 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:37.414016008 CET	49740	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:41.431293964 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:41.436770916 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:41.436888933 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:41.437149048 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:41.442420959 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:42.399286032 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:42.399632931 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:42.405149937 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:42.516763926 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:42.522393942 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:42.700650930 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:42.704910040 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:42.710988045 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.056972980 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.056998014 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.057008982 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.057041883 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.057054996 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.057065010 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.057081938 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.057128906 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.233045101 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233059883 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233072042 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233083010 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233108997 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.233141899 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.233146906 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233196974 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233208895 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233220100 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233234882 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.233258009 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.233841896 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233870029 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233875990 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.233978987 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.408387899 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.408422947 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.408505917 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.408521891 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.408534050 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.408545017 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.408556938 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.408569098 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.408580065 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.408632040 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.408653021 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.409307003 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.409348011 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.409357071 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.409358978 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.409400940 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.409401894 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.409414053 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.409455061 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.410175085 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.410222054 CET	1664	49741	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:43.410267115 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:43.460798979 CET	49741	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:47.479110003 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:47.484662056 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:47.484764099 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:47.485029936 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:47.490931988 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:48.428637981 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:48.428809881 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:48.434415102 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:48.461018085 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:48.467596054 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:48.721596956 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:48.726182938 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:48.731615067 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154347897 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154361963 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154385090 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154427052 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154438019 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154453039 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154463053 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.154473066 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.154525995 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.154525995 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.248500109 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.248542070 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.248563051 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.248575926 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.248588085 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.248657942 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.248855114 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.249007940 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.249033928 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.249044895 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.249082088 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.249083042 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.249083042 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.249217033 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.417434931 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.417514086 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.417525053 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.417536020 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.417548895 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.417874098 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.418016911 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.418029070 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.418040991 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.418052912 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.418061018 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.418869972 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.418890953 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.418951035 CET	1664	49742	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:49.419047117 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:49.460941076 CET	49742	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:53.476655006 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:53.482454062 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:53.482764959 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:53.482988119 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:53.488678932 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:54.415596962 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:54.415847063 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:54.421305895 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:54.460916996 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:54.691502094 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:54.707366943 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:54.710906029 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:54.762092113 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.056545973 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.056581020 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.056593895 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.056633949 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.056649923 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.056695938 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.056720018 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.225224018 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225292921 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225306034 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225317955 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225393057 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.225421906 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.225590944 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225603104 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225641012 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.225641966 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225656033 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.225702047 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.226419926 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.226700068 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.226737976 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.392889977 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.392921925 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.392935038 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.392949104 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.393048048 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.393193960 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.393332958 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.393381119 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.393431902 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.393444061 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.393450975 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.393492937 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.394131899 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.394176006 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.394207954 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.394220114 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.394232035 CET	1664	49743	66.63.187.113	192.168.2.5
Oct 29, 2024 10:16:55.394258976 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.444961071 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:55.460705042 CET	49743	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:16:59.476722956 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:00.295319080 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:00.295461893 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:00.295825958 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:00.576503038 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:00.576565027 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:00.581918001 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:01.521755934 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:01.521976948 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:01.527304888 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:01.527354956 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:01.533329010 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:01.818816900 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:01.822376013 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:01.828386068 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.170711040 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.170727968 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.170742035 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.170754910 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.170775890 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.170802116 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.170895100 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.170926094 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.170960903 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.342014074 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.342073917 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.342207909 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.342305899 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.342498064 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.342509031 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.342550993 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.342832088 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.342873096 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.343377113 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.343578100 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.343595982 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.343619108 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.344229937 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.344273090 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.344661951 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.398082972 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.513505936 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.513525963 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.513537884 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.513650894 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.513937950 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.514019966 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.514039040 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.514112949 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.514337063 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.514348984 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.514363050 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.514425039 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.515382051 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.515439034 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.515451908 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.515453100 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.515486956 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.515971899 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.516185045 CET	1664	49744	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:02.516227961 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:02.523350954 CET	49744	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:06.539155006 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:06.544673920 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:06.544810057 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:06.545067072 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:06.550476074 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:06.570185900 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:06.575647116 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:07.497279882 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:07.497519016 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:07.502902031 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:07.570210934 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:07.575697899 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:07.790996075 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:07.795999050 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:07.801387072 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.160170078 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.160228968 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.160243034 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.160254955 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.160265923 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.160312891 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.160365105 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.328439951 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.328455925 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.328469038 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.328485966 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.328541040 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.328608990 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.329005003 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.329024076 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.329039097 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.329049110 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.329066992 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.329083920 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.329111099 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.329667091 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.329720020 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.496365070 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496403933 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496416092 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496452093 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496475935 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.496531010 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.496694088 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496767998 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496779919 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496800900 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.496809006 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.496846914 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.497524977 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.497606993 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.497654915 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.497968912 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.497982025 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.497992992 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.498011112 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.498018980 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.498054981 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.498759031 CET	1664	49747	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:08.538686991 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:08.570246935 CET	49747	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:12.586318970 CET	49748	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:12.591860056 CET	1664	49748	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:12.591954947 CET	49748	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:12.592279911 CET	49748	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:12.597596884 CET	1664	49748	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:13.570410013 CET	49748	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:13.731225967 CET	1664	49748	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:13.731338024 CET	49748	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:17.585990906 CET	49749	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:17.591434956 CET	1664	49749	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:17.591593981 CET	49749	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:17.591967106 CET	49749	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:17.597312927 CET	1664	49749	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:18.585757017 CET	49749	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:18.744683981 CET	1664	49749	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:18.744762897 CET	49749	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:18.745857000 CET	1664	49749	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:18.745924950 CET	49749	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:22.601695061 CET	49750	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:22.607182980 CET	1664	49750	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:22.607278109 CET	49750	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:22.607609987 CET	49750	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:22.612972975 CET	1664	49750	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:23.561202049 CET	1664	49750	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:23.561378956 CET	49750	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:23.566654921 CET	1664	49750	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:23.585838079 CET	49750	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:27.601679087 CET	49751	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:27.607220888 CET	1664	49751	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:27.607317924 CET	49751	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:27.607589006 CET	49751	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:27.613018036 CET	1664	49751	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:28.551307917 CET	1664	49751	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:28.551573038 CET	49751	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:28.557020903 CET	1664	49751	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:28.601397991 CET	49751	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:32.617554903 CET	49752	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:32.623030901 CET	1664	49752	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:32.623145103 CET	49752	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:32.623492956 CET	49752	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:32.629278898 CET	1664	49752	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:33.569989920 CET	1664	49752	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:33.570218086 CET	49752	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:33.575733900 CET	1664	49752	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:33.601733923 CET	49752	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:37.617379904 CET	49753	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:37.622796059 CET	1664	49753	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:37.622910023 CET	49753	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:37.623598099 CET	49753	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:37.628972054 CET	1664	49753	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:38.552216053 CET	1664	49753	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:38.552439928 CET	49753	1664	192.168.2.5	66.63.187.113
Oct 29, 2024 10:17:38.557847023 CET	1664	49753	66.63.187.113	192.168.2.5
Oct 29, 2024 10:17:38.601291895 CET	49753	1664	192.168.2.5	66.63.187.113

Target ID:	0
Start time:	05:16:05
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\S1qgnlqr1V.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S1qgnlqr1V.exe"
Imagebase:	0x500000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:16:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Imagebase:	0x60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:16:06
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\S1qgnlqr1V.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S1qgnlqr1V.exe"
Imagebase:	0x930000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:16:06
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:16:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp"
Imagebase:	0xca0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:16:07
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:16:07
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp"
Imagebase:	0xca0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:16:08
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:16:08
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\S1qgnlqr1V.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\S1qgnlqr1V.exe 0
Imagebase:	0xee0000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:16:08
Start date:	29/10/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Imagebase:	0xb0000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:16:09
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Imagebase:	0x60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 7552, Parent PID: 7388

General

Target ID:	13
Start time:	05:16:09
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0x60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:16:09
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\S1qgnlqr1V.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S1qgnlqr1V.exe"
Imagebase:	0xe90000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:16:09
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:16:09
Start date:	29/10/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0xea0000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:16:09
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:16:12
Start date:	29/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:16:19
Start date:	29/10/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0x4f0000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:16:20
Start date:	29/10/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0xde0000
File size:	651'264 bytes
MD5 hash:	10B98A933809918BFCDD9C1EA91EDEE6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:17:39
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 1756
Imagebase:	0xbb0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.9%
Total number of Nodes:	184
Total number of Limit Nodes:	8

Executed Functions

Function 077A2CA0 Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 077A2D27

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2b599d842a8c575aa11aeb362e0c49b96774539565528f3deb213d7668268b4f
Instruction ID: b76dca63470c6232401c35c63c552dfa10842241d0d97be0ee796b3d81054806
Opcode Fuzzy Hash: 2b599d842a8c575aa11aeb362e0c49b96774539565528f3deb213d7668268b4f
Instruction Fuzzy Hash: 9D21F3B5901349AFCB10CF9AD884ADEFFF5FB88310F10892AE918A7211C375A554CFA4

Function 077A2CA8 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 077A2D27

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: ac0e13ab61a28fc6d75ab70eb94bbd8588aaa2831b29fb388b2134ecd305d70f
Instruction ID: 02243eea86f6d4cc3537be164ded5bcd1f6b3d58ba8419350b7beed9b0c38898
Opcode Fuzzy Hash: ac0e13ab61a28fc6d75ab70eb94bbd8588aaa2831b29fb388b2134ecd305d70f
Instruction Fuzzy Hash: 2221C0B5900359EFCB10DF9AD884ADEFBF4FB48310F10852AE918A7211C379A554CFA5

Function 077A0040 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993b2082f53e627bd8200ed5faa3997244748503900ec0da43086553ce814a09
Instruction ID: 08dcf84e651eec304a8fcb0569fa0490f708b0d6da110004b115b88ec9cbe34e
Opcode Fuzzy Hash: 993b2082f53e627bd8200ed5faa3997244748503900ec0da43086553ce814a09
Instruction Fuzzy Hash: CA4294B4E01219CFDB54CFA9C984B9DBBB2BF88350F5086A9D809A7355D734AE81CF50

Function 0CFE3950 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56b64f3f93ab768cdb6d8072122cae3cb5724a07503840c2a697513a8bc78b6
Instruction ID: 0c6ba167b3da7e6a6382352c17821b83b8a1d260f0169ddb8db93cf33fc6ac25
Opcode Fuzzy Hash: a56b64f3f93ab768cdb6d8072122cae3cb5724a07503840c2a697513a8bc78b6
Instruction Fuzzy Hash: 74E1BE31B027049FDB29DB79C458BAE77F6AF89700F24446DE1469B3A0CB35E909CB52

Function 0CFE18A0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47294e0149519a407088338d79eb56acc14b3a22fc3dbc3d8f7cfa0fe0f03612
Instruction ID: f6a9d2ad79d4af5d5bf325f1f4e434ee10d7dae5185fcaa043f25698a2fa4fa3
Opcode Fuzzy Hash: 47294e0149519a407088338d79eb56acc14b3a22fc3dbc3d8f7cfa0fe0f03612
Instruction Fuzzy Hash: 5971F772D45229CBDB68CF66C8407EEB7B6BF89300F10D1AAD40DA6251EB745AC5CF41

Function 077A001F Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0124574f6546f70b5cd9c69bdcad3ec86afc4cac5f6c1243c1ca28a8921edd31
Instruction ID: 64b6bc8600443f17f5d0ee6073e30f175d997acc2dfd1d1c281e730bffa57a28
Opcode Fuzzy Hash: 0124574f6546f70b5cd9c69bdcad3ec86afc4cac5f6c1243c1ca28a8921edd31
Instruction Fuzzy Hash: D871C5B4E01219DFEB18CFAAD894B9DBBB2BF88340F14C5AAD808A7355D7359941CF50

Function 00C0D168 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C0D1F6
GetCurrentThread.KERNEL32 ref: 00C0D233
GetCurrentProcess.KERNEL32 ref: 00C0D270
GetCurrentThreadId.KERNEL32 ref: 00C0D2C9

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 73608f6c26d7a3a6f49eeeca94c3a6f538c8c6ce3bdcee4bbfd34793fb94bd99
Instruction ID: 41e23960e0a536aa7596ccebf98c4db6bae69668f8bdacf719abe45074079023
Opcode Fuzzy Hash: 73608f6c26d7a3a6f49eeeca94c3a6f538c8c6ce3bdcee4bbfd34793fb94bd99
Instruction Fuzzy Hash: 3D5165B0900349CFDB14DFA9D548B9EBBF5EF49304F20805AE019A73A0D738AD84CBA5

Function 00C0D178 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C0D1F6
GetCurrentThread.KERNEL32 ref: 00C0D233
GetCurrentProcess.KERNEL32 ref: 00C0D270
GetCurrentThreadId.KERNEL32 ref: 00C0D2C9

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3477c88b126ab0fa0a9792781663f246c65e20d9dff33b212edde870b531885f
Instruction ID: 84c636eae7d65db834ecd11a0b9fe782acb92a4e447d50fc327915fd2449b753
Opcode Fuzzy Hash: 3477c88b126ab0fa0a9792781663f246c65e20d9dff33b212edde870b531885f
Instruction Fuzzy Hash: A35155B0900249CFDB14DFA9D548BAEBBF5EF48304F208459E019A73A0D778A984CBA5

Function 0CFE02BC Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0CFE04FE

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 761e2d71509c6a5f391a5f6f4cc0f80e1ca90cde3428cf21f500bc3b566ad62a
Instruction ID: 16be40eb5c1f1d5f3e2d8ccab27cdc247c5610d058d5a80d30ce481fe15e3c8b
Opcode Fuzzy Hash: 761e2d71509c6a5f391a5f6f4cc0f80e1ca90cde3428cf21f500bc3b566ad62a
Instruction Fuzzy Hash: D2A17171E01319DFDB20CF68C9417EEBBB2BF44310F14816AD858A7294DBB49985DF92

Function 0CFE02C8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0CFE04FE

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9a47a1b7c8fb36f2cd213d210a967c143426e23c74f4f1c6d9469e0c41cafcaf
Instruction ID: 6caad36182d686e960f2ed5a11daae91220846eaaa43b55211dbe7a35132807f
Opcode Fuzzy Hash: 9a47a1b7c8fb36f2cd213d210a967c143426e23c74f4f1c6d9469e0c41cafcaf
Instruction Fuzzy Hash: 9E917171E01319CFDB10CF68C941BEDBBB2BF48310F14816AD858A7294DBB49985DF92

Function 00C044C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C059C9

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 16846738657e71b7c4ab3645af009c1d84b726131e58e99d7bdeaddf2664a61c
Instruction ID: 09090903eca9f3e387b0606a1a24e997c87eb34dc0d51a90f8834c213afbf855
Opcode Fuzzy Hash: 16846738657e71b7c4ab3645af009c1d84b726131e58e99d7bdeaddf2664a61c
Instruction Fuzzy Hash: 4441E5B0D0071DCBDB24DFA9C8847DEBBB5BF48304F20815AD419AB255D775A946CF90

Function 00C0590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C059C9

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6cb60af67b8860e5b9fa77408157fd3d16f907af3babeaf4a645a0f5f0d4bb84
Instruction ID: 0454ff20976a1be9a7dbcbc8f7678be442679fafc9a1f672d6b0d89bf03d7c16
Opcode Fuzzy Hash: 6cb60af67b8860e5b9fa77408157fd3d16f907af3babeaf4a645a0f5f0d4bb84
Instruction Fuzzy Hash: 1B41F2B0D00719CFDB24DFA9C8847DEBBB5BF48304F20806AD458AB294DB75694ACF90

Function 0CFE0007 Relevance: 1.6, APIs: 1, Instructions: 92
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0CFE00D0

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4e31475c1e47849c8d2f283aeafb5095fb9d3be237ddd12934005049d4af308d
Instruction ID: 45dc74f886a774a32dd0d0253344b3594df73c45cac82b54fa2f58f07d1bab4d
Opcode Fuzzy Hash: 4e31475c1e47849c8d2f283aeafb5095fb9d3be237ddd12934005049d4af308d
Instruction Fuzzy Hash: 7C31CC718093889FCB11CFA9C8446DEBFF1FF4A310F1484AED988A7252C7799945DBA1

Function 0CFE0040 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0CFE00D0

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2aa4b52a97a07c30863243031bef4412219cfeb206124bb90ae42cd2f9d0e8c4
Instruction ID: 36ae59292099d4592ca3c73f4ed9a441b361a86ebe9d19739b2f39247fd02fd1
Opcode Fuzzy Hash: 2aa4b52a97a07c30863243031bef4412219cfeb206124bb90ae42cd2f9d0e8c4
Instruction Fuzzy Hash: 4C2139B1D003499FCB10DFAAC885BEEBBF5FF48310F108429E959A7250C7799944DBA1

Function 077AFE43 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077AFEC6

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 08ba06f042ad9b08011a08bac42986d501f9f6eb94f39d1ac40e4ca54076dad1
Instruction ID: cc8f543b779d1145e7bb142af33bdbe9d7db6b614961aa74c88cf4278f9ad5fb
Opcode Fuzzy Hash: 08ba06f042ad9b08011a08bac42986d501f9f6eb94f39d1ac40e4ca54076dad1
Instruction Fuzzy Hash: 372157B19003099FDB10DFAAC4847EEBBF4EF88364F14842AD459A7241CB78A945CFA0

Function 0CFE0128 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0CFE01B0

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4288c9dac003a53ebae4958169121098987df33ca20db7e8c348f061b17fc70b
Instruction ID: fa59947133b31b40f0eeb76e3a397ce28f9b58539f09318eacd0d3d48108023b
Opcode Fuzzy Hash: 4288c9dac003a53ebae4958169121098987df33ca20db7e8c348f061b17fc70b
Instruction Fuzzy Hash: 552128B1D003499FCB10DFAAC884AEEBBF5FF48320F508429E559A7250CB799944DBA5

Function 00C0B390 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C0B41E

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d509f5671b35a2a014a97622abb946ea424f3493b18c738c4f81855038a3c338
Instruction ID: 7e45a23d40baa183194c4c82033060b5696afec7740cf66db400d63a4d2ecf17
Opcode Fuzzy Hash: d509f5671b35a2a014a97622abb946ea424f3493b18c738c4f81855038a3c338
Instruction Fuzzy Hash: 69216DB1C097888FDB11DFAAD4446DEBFF0EF49314F15849AC458A7262C3396949CFA1

Function 077AFE48 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077AFEC6

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3edd08bf351494f51037e64001079d6ef0bd25223a4594593a2ebed5862829e8
Instruction ID: 5ad35a0e7924288fce68851db2f5f255ad5169e3a9b03b3eca5786dc001e7019
Opcode Fuzzy Hash: 3edd08bf351494f51037e64001079d6ef0bd25223a4594593a2ebed5862829e8
Instruction Fuzzy Hash: 622158B1D003099FDB10DFAAC4857EEBBF4EF88360F14842AD559A7241CB78A944CFA0

Function 0CFE0130 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0CFE01B0

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: dcc98893b57a1b71d6a189fa2d8abded8986bc93be85633f5eea1d343d00f04c
Instruction ID: 906ef67d856dc90065141cff87392abed9aedd320b0a8c246d66738a78a7781e
Opcode Fuzzy Hash: dcc98893b57a1b71d6a189fa2d8abded8986bc93be85633f5eea1d343d00f04c
Instruction Fuzzy Hash: 092139B1C003499FCB10DFAAC884AEEFBF5FF48310F108429E559A7250C7789544DBA1

Function 00C0D3C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C0D447

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9ebe8c64f2031c50986deb9614462607f8caf89fc14c2f753763b18a69df0e43
Instruction ID: 84663dd738cbf7c555c16cd4e0e35b6c017c72e59900d4b9cebafd6e4e44be2b
Opcode Fuzzy Hash: 9ebe8c64f2031c50986deb9614462607f8caf89fc14c2f753763b18a69df0e43
Instruction Fuzzy Hash: 9D21C4B59002499FDB10CF9AD584ADEBBF9FB48310F14841AE958A3350D379A944CFA5

Function 00C0D3B8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C0D447

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dd27837cb3b34d863671f3dd3191479a8f2fa01f635c95cfa013a81642be2ff9
Instruction ID: 1350261879cdc97eaf228530be74ce5d68146c239c76397796933f555b83f463
Opcode Fuzzy Hash: dd27837cb3b34d863671f3dd3191479a8f2fa01f635c95cfa013a81642be2ff9
Instruction Fuzzy Hash: 3C21E3B5900209DFDB10CF9AD584AEEBBF5FB48310F14841AE958A3250C778A954CFA4

Function 077AFF18 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 077AFF8E

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 764b4cc28e2a294885f47ebd7e23d80e82924ad31a8d4773f546a4e1eb57578c
Instruction ID: 7a7b03b2b0ca9a6344725c4a3a74ce8c9195a2b594952ed831ff2dccb86e6112
Opcode Fuzzy Hash: 764b4cc28e2a294885f47ebd7e23d80e82924ad31a8d4773f546a4e1eb57578c
Instruction Fuzzy Hash: 03117FB5800249AFDB20DFAAC845ADFBFF5EF88320F148419E519A7250CB399550CFE1

Function 077A4078 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 077A40F0

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 13685574616240b5508e78fbd92fd332b134519da234b77c1f2ca9a0a9f38ae5
Instruction ID: 849c05833a8ead16964e97b338c3c1425e76f8374c089ac01393eb125cfb7d1e
Opcode Fuzzy Hash: 13685574616240b5508e78fbd92fd332b134519da234b77c1f2ca9a0a9f38ae5
Instruction Fuzzy Hash: 0D1117B1C00659AFDB10DF9AD4446DEFBF4FB88320F10856AD918A3640C775A544CFA5

Function 077A3534 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 077A40F0

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 8a8041fb0f5d5e57eb70fcfc6c7926559635acc2ffdd98dc5695017675e903b8
Instruction ID: 23721f33c1f9ab37ccc36dec52b94805778f1cb44bc3d9f6586369180b885cbd
Opcode Fuzzy Hash: 8a8041fb0f5d5e57eb70fcfc6c7926559635acc2ffdd98dc5695017675e903b8
Instruction Fuzzy Hash: 381114B1C0465AABCB10DF9AD444A9EFBF4FB89350F10866AD918A3240C379A944CFA5

Function 077AFF20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 077AFF8E

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 406e889db908f0d0644940a2d04bff77869e56154d463912595292a15fe8e877
Instruction ID: 5b9e2c094f17d79a7ddc61e6ede58428d9a4a0c7f63cc8122b0645c47c2af34a
Opcode Fuzzy Hash: 406e889db908f0d0644940a2d04bff77869e56154d463912595292a15fe8e877
Instruction Fuzzy Hash: D21149B18002499FDB20DFAAC844AEFBFF5EF88320F148819E519A7250C779A544CFA0

Function 077AF958 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 077AF9C2

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6c44ef3dfcec0cd1bb04862be25494ff389e8b836145e1e3d8a749f1ad64f57e
Instruction ID: 10f76388e25c3740fd407aa9db73bdb5012a750f8c6ee3433acb9b39d722327b
Opcode Fuzzy Hash: 6c44ef3dfcec0cd1bb04862be25494ff389e8b836145e1e3d8a749f1ad64f57e
Instruction Fuzzy Hash: 23115BB1D002499FDB20DFAAC444BEEFBF5EF88324F24881AD559A7240C739A545CF94

Function 077AF960 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 077AF9C2

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3802d7bc0cb941f79a23c855122e1febda248dc6b7ac2dd7e42b3395b175feaf
Instruction ID: ddd649ca1fe96f7e9af996f4f3de03647e3722903e81562d184e3ac22570e1dd
Opcode Fuzzy Hash: 3802d7bc0cb941f79a23c855122e1febda248dc6b7ac2dd7e42b3395b175feaf
Instruction Fuzzy Hash: 47113AB1D003499FDB20DFAAC4457AEFBF5EF88320F24881AD559A7250CB79A544CFA4

Function 00C0B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00C0B41E

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: acd60febd3e6546e3ec07abc832299346a5a9c006e9e51818dcca4381eae7b08
Instruction ID: ea0d6085d3199b39ab6936f9ab3c210e241b5995303f9ab04550d88fc0757791
Opcode Fuzzy Hash: acd60febd3e6546e3ec07abc832299346a5a9c006e9e51818dcca4381eae7b08
Instruction Fuzzy Hash: A9110FB5C006498FCB20CF9AC444ADEFBF4AF88324F14841AD528A7250C379AA45CFA1

Function 0CFE29A8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0CFE2A0D

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 061471ce9a1d2b91868f2220dc06b55caacbcf516524c4c178efbb3a33e9056e
Instruction ID: 9fe637ce4f712272635aa2d03c35d3432911afc7df971f3eaa310e4cb124b909
Opcode Fuzzy Hash: 061471ce9a1d2b91868f2220dc06b55caacbcf516524c4c178efbb3a33e9056e
Instruction Fuzzy Hash: 5E11C2B58003499FDB20DF9AD449BDEBBF8EB48720F10845AE558A7210D379A944CFA5

Function 0CFE29B0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0CFE2A0D

Memory Dump Source

Source File: 00000000.00000002.2098839137.000000000CFE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CFE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfe0000_S1qgnlqr1V.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7febf2304d4239287d3a12f949e808921545888f2cedfb5150e89b3c66b085a1
Instruction ID: dc586517eabcf5c4163dcfdd77e260dc59ba37b8b87812cee89628e5180be37b
Opcode Fuzzy Hash: 7febf2304d4239287d3a12f949e808921545888f2cedfb5150e89b3c66b085a1
Instruction Fuzzy Hash: E511D3B58003499FDB20DF9AD445BDEFBF8EB48720F108419E558A7210D379A944CFA5

Function 077A3540 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 077A418F

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 54c7e4437723aa3bc55a0ce90e45b660efd5a0777573bab7f76c8d3e85e7d64b
Instruction ID: 0c903308674c53bda5f19daed94cf7e100185f423df24b325ba11cd930efaf47
Opcode Fuzzy Hash: 54c7e4437723aa3bc55a0ce90e45b660efd5a0777573bab7f76c8d3e85e7d64b
Instruction Fuzzy Hash: DB1128B18002499FDB10DF9AC444BEEFBF4EB49320F208469E558A3651D379A944CFA5

Function 077A4128 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 077A418F

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 94060484fe4d8dfbf4f38498bcd45467f6c6b383b69b9d8c94d882a298a09336
Instruction ID: f69ecfab54cec16eff34d5dbe6135d7cb708f758b00bc1846baa1bca8a699b3c
Opcode Fuzzy Hash: 94060484fe4d8dfbf4f38498bcd45467f6c6b383b69b9d8c94d882a298a09336
Instruction Fuzzy Hash: 3D1128B18002499FEB20DF9AC4447EEBBF4EF49324F248469D558A3251D379A544CFA5

Function 00B8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079143721.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f2ef774f6a1d15a04e8ebda7c539c65c1a2877826f30084494134e618b79c9
Instruction ID: d7e813263e7579ff69c07e28a878b574f55ad3e7cbd87c0b2b6509f11c23e170
Opcode Fuzzy Hash: a0f2ef774f6a1d15a04e8ebda7c539c65c1a2877826f30084494134e618b79c9
Instruction Fuzzy Hash: AE210A71504204DFDB05EF14D9C0F16BFA5FB98324F28C5AAD9090B3A6C33AE856D7A2

Function 00B9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079180986.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0debc2b170c2926f20a06971cf99d7fc069ecc08ab4cdfd900e73ade611cba0d
Instruction ID: 34331b1f1273aa2c1c164dcf6d13e4eee9abfce50e450b56614a3237caa48466
Opcode Fuzzy Hash: 0debc2b170c2926f20a06971cf99d7fc069ecc08ab4cdfd900e73ade611cba0d
Instruction Fuzzy Hash: E721D071604204DFDF14DF24D9D4B26BFA5FB88314F20C5B9D94A4B296C33AD806CA61

Function 00B9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079180986.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce453ca5b314a242fbc019469454d564fb9fe3f665f2695cd8c95d506ecfdec5
Instruction ID: f3a5f762a7dc9d46c871c315d04b288aa05955347233bdb246c7f652384d396b
Opcode Fuzzy Hash: ce453ca5b314a242fbc019469454d564fb9fe3f665f2695cd8c95d506ecfdec5
Instruction Fuzzy Hash: 55210471604204EFDF05DF25D9C0F26BBA5FB88314F20C5BDE9094B296C33AD806CA61

Function 00B9D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079180986.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a65caa3e1d6dcb0ced5f849dda5539bcf1c5e9d1d3cd14b18b65900e3303016
Instruction ID: 5a8ef8683bebf9ee7b1b9247ec27c802bd80da8cf2c5ede68896c0d6560bdc46
Opcode Fuzzy Hash: 0a65caa3e1d6dcb0ced5f849dda5539bcf1c5e9d1d3cd14b18b65900e3303016
Instruction Fuzzy Hash: 412196755093808FDB16CF24D5A4715BFB1FB46314F28C5EAD8498B697C33AD80ACB62

Function 00B8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079143721.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: d7ff80cac3b4cbb8fa0610f865cf53177a28017da094b987c2669b5679272ca2
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 43110672504240DFCB02DF00D5C4B16BFB1FB94314F28C6AAD9090B366C33AD45ACBA1

Function 00B9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079180986.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b9d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 7e4e049f85b781597c491000677b86f76214a43a424c7518e2a3f873ad6cd6e7
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 7D118B75504280DFDB16CF14D5C4B15BBA1FB84314F24C6A9D8494B6A6C33AD84ACB62

Function 00B8D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079143721.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541fee14f5ddc28c0d37bc2ef512d50dd8e2edfa3ca9aaa30c488ae8040e9a0
Instruction ID: a15b6193896cdef74f721f6aba0e7e73d798ae4e9b558421d757f349febe1efe
Opcode Fuzzy Hash: c541fee14f5ddc28c0d37bc2ef512d50dd8e2edfa3ca9aaa30c488ae8040e9a0
Instruction Fuzzy Hash: FF01A775104344DAE720AB15DDC4B66BFD8EF55360F28C5ABED090A2E6C67D9C40C7B1

Function 00B8D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079143721.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b8d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8033b552daae51122d7eb1b2c54a0ae5aa70d38beeee63f533fe63a25b460ae1
Instruction ID: fe6791431e541530168f5386059ed48a2c2c68d165920e0f661f671fe1e4925e
Opcode Fuzzy Hash: 8033b552daae51122d7eb1b2c54a0ae5aa70d38beeee63f533fe63a25b460ae1
Instruction Fuzzy Hash: 6CF0CD75004344EEEB208A0ADC84B62FFE8EF51734F18C59BED080B296C279AC44CBB1

Non-executed Functions

Function 077ADD70 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

}P, xrefs: 077ADDCB

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID: }P
API String ID: 0-459933098
Opcode ID: 3d8bda37a2a1ae498c6c11498ec38fa36deee9c91864b4f9170cac925641d759
Instruction ID: 7476c19a53095a3360e6f80dadeb524acb27cc6ea21da83c3ebaf25000f4d33e
Opcode Fuzzy Hash: 3d8bda37a2a1ae498c6c11498ec38fa36deee9c91864b4f9170cac925641d759
Instruction Fuzzy Hash: AFE11DB4E042199FDB14DFA9C5809AEFBF2FF89301F248169D415AB35AC730AA41CF61

Function 077A1C70 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ffcfe0d133c43497298ae9fdf6d978ccf30f47e429adf8fe3726f960ff0d76
Instruction ID: 7b3e2f6115f9574d67ee8e09ead1916e8026a2d85823a5740825735c6892c1e9
Opcode Fuzzy Hash: 17ffcfe0d133c43497298ae9fdf6d978ccf30f47e429adf8fe3726f960ff0d76
Instruction Fuzzy Hash: 0DE13EB4E042199FDB14DFA8C5809AEFBF2FF89301F648269D415AB356D731AA41CF60

Function 077A2578 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f917e4b9a620e45cd160a53bd813fe65869d6121d98c1270cad25dfe8d879424
Instruction ID: 8c258f2442cd68cb269818eb31ad8a472c5161007fe6172b7561a0c02ead4327
Opcode Fuzzy Hash: f917e4b9a620e45cd160a53bd813fe65869d6121d98c1270cad25dfe8d879424
Instruction Fuzzy Hash: 98E11FB4E142199FDB14DFA8C5809AEFBF2FF89305F248169D415AB356D730AA41CFA0

Function 077AD500 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ad1aa519c10bd3a23b7600ff1a03413bfb398911869d3c98951091aeb0e72d
Instruction ID: 1bf998df17e53399b709d06ef946fc1e36c5b7442d8155158121e5f5a29fadfb
Opcode Fuzzy Hash: e8ad1aa519c10bd3a23b7600ff1a03413bfb398911869d3c98951091aeb0e72d
Instruction Fuzzy Hash: BEE12FB4E002199FDB14DF99C5809AEFBF2FF89345F248269D415AB35AD730AA41CF60

Function 077A20B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e3a0239238c9f8096cc9fcb0eb543deeb1735b8d4cfba65156801b2269409a
Instruction ID: 35044e793455e31f3167cfd81608ad4193a3c24bec3754908905d054d64a6a1b
Opcode Fuzzy Hash: 48e3a0239238c9f8096cc9fcb0eb543deeb1735b8d4cfba65156801b2269409a
Instruction Fuzzy Hash: 18E11EB4E002199FDB14DFA9C5809AEFBB2FF89305F248169D415AB356D730AE41CFA0

Function 077A2E28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0f3abc839e6446bb36349b2bb5e81594473ee1e08d7bb78f598f3505b6f998
Instruction ID: 92b320c97c1084c918c2a3937e0a709fdb396e5e34eebea3ffdf67fc1b956063
Opcode Fuzzy Hash: db0f3abc839e6446bb36349b2bb5e81594473ee1e08d7bb78f598f3505b6f998
Instruction Fuzzy Hash: 16E11FB4E142199FDB14DFA8C5809AEFBF2FF89305F248169D415AB356D730AA41CFA0

Function 077AFA10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5c74fdfacb32102b279d525893311c0f21a096fec2f014ea69063206026115
Instruction ID: 5fbd2194b3867453685b8dad21162debdb254e7fc791374205481ca489b1da7b
Opcode Fuzzy Hash: ee5c74fdfacb32102b279d525893311c0f21a096fec2f014ea69063206026115
Instruction Fuzzy Hash: 55E14DB4E002199FDB14DFA9C5809AEFBF2FF89305F248669D415AB316D730AA41CF60

Function 077AD938 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c821d2d1c693bb02323f3456e0ca0604e51ffed5d84ad0e0d05b0bd932fa6c49
Instruction ID: 45c1ca0fdfea348e3e58a75303dd2e3dac630537b500fa260ac55cd79d46536b
Opcode Fuzzy Hash: c821d2d1c693bb02323f3456e0ca0604e51ffed5d84ad0e0d05b0bd932fa6c49
Instruction Fuzzy Hash: E9E10BB4E042199FDB14DFA9C5809AEFBF2FF89305F248259D415AB35AD730AA41CF60

Function 077A57D7 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436ed9a1b7fadfb07113c3bd3f1fb343d0a3ead4c66bded11efce40c0f092f2d
Instruction ID: f75bc5e403c0f853ba3e7d0ee64b58738789cbf326a97d4412620ad806708ffe
Opcode Fuzzy Hash: 436ed9a1b7fadfb07113c3bd3f1fb343d0a3ead4c66bded11efce40c0f092f2d
Instruction Fuzzy Hash: 4BD12631D6075ADACB10EF64D950A9DB7B5FF95300F20C79AE0097B225EB706AC9CB81

Function 077A57D8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c930b3445cf5dcaac8fd385a9b32feea3e73e7c698325a3497a94b08bdfdd6c0
Instruction ID: 5b4018b4177908d3a748a009cc9f34030ab440643ac4d58eed743ed03985b377
Opcode Fuzzy Hash: c930b3445cf5dcaac8fd385a9b32feea3e73e7c698325a3497a94b08bdfdd6c0
Instruction Fuzzy Hash: 2AD12631D6075ADACB10EF64D950A9DB7B5FF95300F20C79AE0097B225EB706AC9CB81

Function 00C0DA8C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2079416889.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c00000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d588f9f72ea59380ceb62bf835eac7764339e43ac3d112ba76ffd38f4dbf89b0
Instruction ID: 34d1961d01b982a7fdd5088168666a330aec0fee4b28b4f10be98ed3b271a19e
Opcode Fuzzy Hash: d588f9f72ea59380ceb62bf835eac7764339e43ac3d112ba76ffd38f4dbf89b0
Instruction Fuzzy Hash: 7FA17F32E00209CFCF15DFB5C84459EBBB2FF85300B15417AE816AB2A5DB75EA46DB40

Function 077A6988 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8cffdbf6129bb5a81359052097d8330d3e69afe380ed0cbc76c72e2b9df08e
Instruction ID: cfa2c88a3bcc3c4d15582436fe949583a2094db17e357e7aec0209c6868ba63b
Opcode Fuzzy Hash: ce8cffdbf6129bb5a81359052097d8330d3e69afe380ed0cbc76c72e2b9df08e
Instruction Fuzzy Hash: F47191B4E012189FDB04DFAAC58499EFBF2BF89310F28C16AD418EB255D734A941CF50

Function 077A66F0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838f86ecb0bc825875a07a16de0b1207a28e51a85122457142115d0fba9d2596
Instruction ID: 0faf64f00a9b9f72a9a2d401f9fd53da052c14ae6d8121d366b036082fb3dcb6
Opcode Fuzzy Hash: 838f86ecb0bc825875a07a16de0b1207a28e51a85122457142115d0fba9d2596
Instruction Fuzzy Hash: 785190B5D002199FDF08DFEAD8446EEBBB6FF89311F14812AE419AB254DB345A46CB40

Function 077AD928 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370954fe7c797082b7f1dc6d75dd8783d4431b6daac99990f329f7648b8b9fe7
Instruction ID: 7a3148b0f52fe92763b308976ba36615593f1d8d5002256c9c8728369745b92e
Opcode Fuzzy Hash: 370954fe7c797082b7f1dc6d75dd8783d4431b6daac99990f329f7648b8b9fe7
Instruction Fuzzy Hash: 31510CB4E042199FDB14CFA9C5805AEFBF2EF89301F248169D418AB35AD7319E41CFA1

Function 077A6979 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5f3c58cb2f2832ca5330062494853d3f88bfa79740b1e8a1561416e3aca8d3
Instruction ID: ba2ae7d6f37e6f437623f1143f75458436c4761f8447613af0da3c15223b6274
Opcode Fuzzy Hash: 4b5f3c58cb2f2832ca5330062494853d3f88bfa79740b1e8a1561416e3aca8d3
Instruction Fuzzy Hash: 955180B5E006189FDB08DFAAC98459EFBF2BF89311F14C16AD418EB359DB349942CB50

Function 077A66E0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096907742.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b2f7d7a4e375c7e67e05ff3be3dc86038be3cc5b17819ea7e051658debaf0f
Instruction ID: e8d1619b98f0d4fdbfac7850d97469603f936b0b04d14c5111ac4a4524981f5e
Opcode Fuzzy Hash: d1b2f7d7a4e375c7e67e05ff3be3dc86038be3cc5b17819ea7e051658debaf0f
Instruction Fuzzy Hash: 7541C3B5E046099FEB08DFEAD8446EEFBF6AF88310F14C52AD418AB254EB345945CF40

Analysis Process: S1qgnlqr1V.exePID: 5880, Parent PID: 6672COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	7

Executed Functions

Function 0125D408 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0125D496
GetCurrentThread.KERNEL32 ref: 0125D4D3
GetCurrentProcess.KERNEL32 ref: 0125D510
GetCurrentThreadId.KERNEL32 ref: 0125D569

Memory Dump Source

Source File: 00000004.00000002.3613486912.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1250000_S1qgnlqr1V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4cc19c53f62106d725bb70814ecce445ea27f7e5121af9e68465bf0e74189630
Instruction ID: 523657191b5675bd37f22495a3cc9d330477dca146e0bd45b92f0325f6d54d9f
Opcode Fuzzy Hash: 4cc19c53f62106d725bb70814ecce445ea27f7e5121af9e68465bf0e74189630
Instruction Fuzzy Hash: 655167B09112498FDB44DFA9D588B9EBFF1EF48314F248059E509A7390D7389984CF65

Function 0125D418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0125D496
GetCurrentThread.KERNEL32 ref: 0125D4D3
GetCurrentProcess.KERNEL32 ref: 0125D510
GetCurrentThreadId.KERNEL32 ref: 0125D569

Memory Dump Source

Source File: 00000004.00000002.3613486912.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1250000_S1qgnlqr1V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2d87235ff00d4e4a0e7389e928213cedefe3a7e0095478df29d43acb4aaf331c
Instruction ID: e4df690c81fa0b6bfaccca40df749ef63b0be4840c4dd201522b931666da76b4
Opcode Fuzzy Hash: 2d87235ff00d4e4a0e7389e928213cedefe3a7e0095478df29d43acb4aaf331c
Instruction Fuzzy Hash: FC5156B09113498FDB54DFAAD588B9EBFF1EF48314F208059E509A73A0D738A984CF65

Function 0125AD88 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0125AFDE

Memory Dump Source

Source File: 00000004.00000002.3613486912.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1250000_S1qgnlqr1V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 037a84da8b8affd283ab6b64c7a1115bbf643cd5f39368d0afd4b186202a508e
Instruction ID: 5e1cdf347eb256b9fcc882319a6a0b3b8ccdc7860edd506efa77066218356b0d
Opcode Fuzzy Hash: 037a84da8b8affd283ab6b64c7a1115bbf643cd5f39368d0afd4b186202a508e
Instruction Fuzzy Hash: 17717870A10B058FDB64DF29D48675ABBF5FF48300F008A2DD94AD7A50DB75E845CB90

Function 0125D658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0125D6E7

Memory Dump Source

Source File: 00000004.00000002.3613486912.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1250000_S1qgnlqr1V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18652d3f962b132552d4eec106dc899b184495749b6fa2b19bad2f0dec03b3e7
Instruction ID: e0fdd1bcb3f3512b4d2ea38d5200240762890c3439628f2cc9af3ef2624d1009
Opcode Fuzzy Hash: 18652d3f962b132552d4eec106dc899b184495749b6fa2b19bad2f0dec03b3e7
Instruction Fuzzy Hash: C121E3B5900249EFDB10CFAAD584ADEBFF9EB48310F14845AE918A7350C379A944CFA5

Function 0125D660 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0125D6E7

Memory Dump Source

Source File: 00000004.00000002.3613486912.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1250000_S1qgnlqr1V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 03076279fb69f218f3344b8a04dbf6113546255aa61b950bbdf019abeeae4ceb
Instruction ID: af69f9070f3d8a3fec229d924f3727a0114fd93e153b58761d1438c7c6c3ad9f
Opcode Fuzzy Hash: 03076279fb69f218f3344b8a04dbf6113546255aa61b950bbdf019abeeae4ceb
Instruction Fuzzy Hash: 0E21B0B5900249DFDB10CFAAD984ADEBBF9EB48310F14841AE918A7350D378A945CFA5

Function 0125AF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0125AFDE

Memory Dump Source

Source File: 00000004.00000002.3613486912.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1250000_S1qgnlqr1V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 330fbe333607ab6a3bea8c0c70b3e256c67bd79019dc656dec11d46c587478d4
Instruction ID: f0e86683edae1ebe61db59cf92cf40267824c255b35952728caf4eb40b0e6b5b
Opcode Fuzzy Hash: 330fbe333607ab6a3bea8c0c70b3e256c67bd79019dc656dec11d46c587478d4
Instruction Fuzzy Hash: 3A11E0B5C007498FDB10DF9AC484ADEFBF4EF88314F10855AD929A7650C379A545CFA1

Function 00F6D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3611389968.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f6d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743f772eac193c1f234e4a12f538c0f4aff40702b11c713499a2271d6fb90da7
Instruction ID: b97a1a8aafcf13c0a03dd82a6fe71fa209d5e028e717f9d68cff9ef1341db9ea
Opcode Fuzzy Hash: 743f772eac193c1f234e4a12f538c0f4aff40702b11c713499a2271d6fb90da7
Instruction Fuzzy Hash: 80212572A04244DFCB05DF14D9C0F26BF65FB98324F20C569E9090B256C73AE856E7A2

Function 00F7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3611457886.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f7d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4903fe81c9da2b521570f479b18e256b2226b8c61cab66037606eaaf31d4d3b
Instruction ID: 04873e7fc1ba613dc56e66e47ef14dbedc7b5fa55678d38fb5085eb3793e948c
Opcode Fuzzy Hash: c4903fe81c9da2b521570f479b18e256b2226b8c61cab66037606eaaf31d4d3b
Instruction Fuzzy Hash: 4A21D075604204DFCB14DF24D984B26BB75EF88324F64C56ED90E4B29AC33AD806EA62

Function 00F7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3611457886.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f7d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f145368555bf9039fd3a0b837a428f0fe2856f5858cace0325a4754459a60f
Instruction ID: 18c885caed0c909fa5b30e92ea43077c9e44418e3e64f819e636502ea98367db
Opcode Fuzzy Hash: 70f145368555bf9039fd3a0b837a428f0fe2856f5858cace0325a4754459a60f
Instruction Fuzzy Hash: A22150755093808FDB12CF24D994715BF71EF46314F28C5EBD8498B6A7C33A980ADB62

Function 00F6D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3611389968.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f6d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 73cde9a067073f6d29ad25b3ac3217c42fc6554b8e58c3b24d95ba6d1eb72699
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3B11E676904280CFCB16CF10D5C4B16BF71FB94324F24C5A9D9490B656C336E85ADBA2

Analysis Process: S1qgnlqr1V.exePID: 7348, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	5

Executed Functions

Function 07642CA0 Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07642D27

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d79d75cac3f333c8d5c867ca9896b4944028b6a6bc01ee595279273b75190a4d
Instruction ID: 03d172b0bd2daa5ac823f3a4200989b18ff586c3cc6ed6b55213a885667741d3
Opcode Fuzzy Hash: d79d75cac3f333c8d5c867ca9896b4944028b6a6bc01ee595279273b75190a4d
Instruction Fuzzy Hash: 8221EFB5900249EFCB10DF9AD885ADEFBF4FF49310F20842AE919A7210D774A940CFA5

Function 07642CA8 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07642D27

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: bb5601c985592adfc2a1864ef6d86d0af8186f2c2e1a11a6db5e0bffbec1feb6
Instruction ID: 8bcf104119c8059ae322dab93f20a9723ed0689a68daf1d648492eb6e79c5655
Opcode Fuzzy Hash: bb5601c985592adfc2a1864ef6d86d0af8186f2c2e1a11a6db5e0bffbec1feb6
Instruction Fuzzy Hash: 4321CEB5900259DFCB10DF9AD884ADEFBF4FF49310F20842AE919A7210D379A944CFA5

Function 03210454 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03210696

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b489c64564dc35d6c936f824a794a496e00440f8726e58cdcf3007107ce6d410
Instruction ID: a4a13896d194e87eda3c5d7672796feac878c132c2afc8fee76f39b9db9a1c2f
Opcode Fuzzy Hash: b489c64564dc35d6c936f824a794a496e00440f8726e58cdcf3007107ce6d410
Instruction Fuzzy Hash: A0A149B1D1021ADFDB10CF68C940BADBBF2BF48310F1481AAE809A7284DB7599D5CF91

Function 03210460 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03210696

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 89616acc3c23c739e1b9116b58aecd139d9c067e0701d81a50023d944ab6258e
Instruction ID: 15206c9d52f8527cc40a2999b7d36935213a9aa31b6af9f95d84df68cb91a6a6
Opcode Fuzzy Hash: 89616acc3c23c739e1b9116b58aecd139d9c067e0701d81a50023d944ab6258e
Instruction Fuzzy Hash: 85914AB1D1021ADFDB14CF68C940BADBBF2BF48310F1481AAE809A7294DB7599D5CF91

Function 018344C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018359C9

Memory Dump Source

Source File: 0000000A.00000002.2132460575.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_S1qgnlqr1V.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 182ed9fece17880f68bd8ba8c748771c46a64a3e04b602c70158b1d3905a34ed
Instruction ID: 478ea9ec979b4bb0e6ba01437ad0f8d173f5fdbeb86c82af1931caf39058932b
Opcode Fuzzy Hash: 182ed9fece17880f68bd8ba8c748771c46a64a3e04b602c70158b1d3905a34ed
Instruction Fuzzy Hash: C441D2B0C0071DCBDB24DFA9C884B9DBBF5BF89304F24806AD418AB255DB756A46CF90

Function 0183590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018359C9

Memory Dump Source

Source File: 0000000A.00000002.2132460575.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_S1qgnlqr1V.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0127711548fee904f6fc89fdf0d321861c0adc2f32516fa8f7b2471e6191ba03
Instruction ID: a18ae18b9e8eaaf518ed6e542eb1c9fe0f50c38b8ebb729a54d70be64692f797
Opcode Fuzzy Hash: 0127711548fee904f6fc89fdf0d321861c0adc2f32516fa8f7b2471e6191ba03
Instruction Fuzzy Hash: 0441C0B0C00719CBDB24DFA9C984B9DBBF5BF49304F24806AD418AB255DB756A46CF90

Function 03210007 Relevance: 1.6, APIs: 1, Instructions: 90
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 032100BE

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8c9e5e9e47e4b6456b478b3af1164720dda202cb77ebb35adac0401490accbd9
Instruction ID: 3be91ce1f815b4c3e184bdf94d2d0855fde2899b62e68c0a949d12e20c1efede
Opcode Fuzzy Hash: 8c9e5e9e47e4b6456b478b3af1164720dda202cb77ebb35adac0401490accbd9
Instruction Fuzzy Hash: BF31A4718083888FCB11CFA9C8847EEBFF4EF46314F1984AAD444AB252D7389544CFA1

Function 032101D0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03210268

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8227acf66fc8a208cda04a0ca745beef64284e247ff6bc1d50ee15fb0b4de76f
Instruction ID: 131975ca0ec8af2f4c69ab22a8e426889697ff50f32f902fa26305a503842320
Opcode Fuzzy Hash: 8227acf66fc8a208cda04a0ca745beef64284e247ff6bc1d50ee15fb0b4de76f
Instruction Fuzzy Hash: C42139719003499FCB10DFA9C985BDEBBF5FF48310F10842AE919A7240D7789594CBA0

Function 032101D8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03210268

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 17b7eec65ebb074eff0c4bef0d49dc2090c283d4b805aea62a9e5a07592e2073
Instruction ID: 8e96d10827cdcbd2a8730dd0ed1f71a6b622220a9c0222b5d6ca622472a24a6c
Opcode Fuzzy Hash: 17b7eec65ebb074eff0c4bef0d49dc2090c283d4b805aea62a9e5a07592e2073
Instruction Fuzzy Hash: CB212A719003099FCB10DFAAC945BDEFBF5FF48310F10842AE919A7240D7789994CBA0

Function 032102C0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03210348

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 22ade95587ed85bb9be94335e5efe5a6172d1911b050f916c81fb9c6ad57067e
Instruction ID: 64a38beed63c0091e131c68e5d41307733f83d084bd713b4bb436602ad527b5d
Opcode Fuzzy Hash: 22ade95587ed85bb9be94335e5efe5a6172d1911b050f916c81fb9c6ad57067e
Instruction Fuzzy Hash: 722145B18003499FDB10DFAAC980BEEFBF5FF48320F50842AE519A7250D7399940CBA0

Function 0183B388 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0183D386,?,?,?,?,?), ref: 0183D447

Memory Dump Source

Source File: 0000000A.00000002.2132460575.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_S1qgnlqr1V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e3e7380ec381ee38ea36a087c8759368137747f6cd97e08390ef9558826166f
Instruction ID: d603dcc0e4aaf9b8dc0f90a83cab07933c477c8fcd022223a47eb93a5045c9a0
Opcode Fuzzy Hash: 3e3e7380ec381ee38ea36a087c8759368137747f6cd97e08390ef9558826166f
Instruction Fuzzy Hash: 4E21E4B59002489FDB10CF9AD984AEEBFF9FF48310F14841AE918A3311D378A954CFA5

Function 032102C8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03210348

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0e5e4facb2216bb3a84ef29ea0ff91e2903c47b893f7d441ce405644a1bbfda8
Instruction ID: 83224a0d134418ce0db0053c49a11f6156550eb7b5d7a41fb3a3600b7ef529e7
Opcode Fuzzy Hash: 0e5e4facb2216bb3a84ef29ea0ff91e2903c47b893f7d441ce405644a1bbfda8
Instruction Fuzzy Hash: 5B213AB1C003499FCB10DFAAC940AEEFBF5FF48310F10842AE519A7250D7789540CBA0

Function 03210040 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 032100BE

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 44c3e49338488316ffb05bbc81e5989aa7e331568a69f8758e6913c54c248d31
Instruction ID: b8657810eac8e1eff161d5ef452c7ced1bf12b3e3fa6292fb6d4194ff7685ebc
Opcode Fuzzy Hash: 44c3e49338488316ffb05bbc81e5989aa7e331568a69f8758e6913c54c248d31
Instruction Fuzzy Hash: 67211871D002098FDB10DFAAC5857EEBBF4EF58324F14842AD559A7240DB79A984CFA4

Function 0183D3B8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0183D386,?,?,?,?,?), ref: 0183D447

Memory Dump Source

Source File: 0000000A.00000002.2132460575.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_S1qgnlqr1V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7518e5135c3d856a9431f9b00ad664590ce4485686fce571008172291826c784
Instruction ID: fdb82b2a18d3d1cc24454c55ee1f9b4de348b34732bb1959bf893343bf192fb3
Opcode Fuzzy Hash: 7518e5135c3d856a9431f9b00ad664590ce4485686fce571008172291826c784
Instruction Fuzzy Hash: 5B21C2B5D002099FDB10CFAAD584AEEBBF5FF48310F14841AE918A3350D378AA44CFA5

Function 03210111 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03210186

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4af943ab845ca1cb1badf89921fd0e53eef684e8fcc1d19d59018c43a6ed725c
Instruction ID: 7dd52811c1bfeb5f58c0890f0ebbe7376839373ff03098e9be17444225335120
Opcode Fuzzy Hash: 4af943ab845ca1cb1badf89921fd0e53eef684e8fcc1d19d59018c43a6ed725c
Instruction Fuzzy Hash: 40214A718002499FCB10DFAAD845AEEBBF5FF88310F24841AD519A7250CB79A550CFA0

Function 07644078 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 076440F0

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 270fe124284982b5a08a6c4faf7c8509b821ddae97927f5ba8bf8ca381fc725e
Instruction ID: 02cc9843b8be5d2270faf7388f752d8d18d3e8a7c3390b37964649f5aa9b61a8
Opcode Fuzzy Hash: 270fe124284982b5a08a6c4faf7c8509b821ddae97927f5ba8bf8ca381fc725e
Instruction Fuzzy Hash: DB1144B1C0029A9BCB10DFAAD445B9EFBB4FF48310F10812AD819A3200D775A554CFA5

Function 07643394 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 076440F0

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: e9037433a5e6943ce2cde0ead73bf7d21a5b115db8771e7f209334296621d349
Instruction ID: e3ec08725b605f5476f09cfb7ba9e402e4e80117d13698d90ab7954247ab0bf2
Opcode Fuzzy Hash: e9037433a5e6943ce2cde0ead73bf7d21a5b115db8771e7f209334296621d349
Instruction Fuzzy Hash: BA1142B1C0065A9BCB10CF9AD445BAEFBB4FF49710F10812AD819B7240D778A910CFA4

Function 03210118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03210186

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8cb0035f3a5294b7f4f8b26b9ea1f4ad28e01ca4c1de66df61af62099abfd338
Instruction ID: ebab3df33eaa964ba2f809bdd26679d51919717bf32d7f44e660c3292728737b
Opcode Fuzzy Hash: 8cb0035f3a5294b7f4f8b26b9ea1f4ad28e01ca4c1de66df61af62099abfd338
Instruction Fuzzy Hash: 831137718002499FCB10DFAAC944AEFBFF5EF48320F14841AE519A7250CB79A990CFA0

Function 0764FA8B Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0764FAF2

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c8dcbec58ddeeee5e8e99f5a12367f50f775cfffe5552128ac44b1999c07d635
Instruction ID: e49dfdb3f5a88f2c5c22b0c1c6e5ccb39b400ef7e1cd1f9b938acd84467540d0
Opcode Fuzzy Hash: c8dcbec58ddeeee5e8e99f5a12367f50f775cfffe5552128ac44b1999c07d635
Instruction Fuzzy Hash: 8E1158B1C003488FCB20DFAAD4447EEFBF5EF89320F24841AD419A7240CB78A944CBA4

Function 0764FA90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0764FAF2

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 019f5ebe8e0336d43f45d9bd6df31c3994a1374bb714443ee1c37c794cb0d60f
Instruction ID: 5841a4d2b8efff0ea23af17348775fdf77694bd496c3bc1da5b255818a181254
Opcode Fuzzy Hash: 019f5ebe8e0336d43f45d9bd6df31c3994a1374bb714443ee1c37c794cb0d60f
Instruction Fuzzy Hash: 0B113AB1D002498FDB10DFAAC4457EFFBF5EF89320F24841AD519A7240CB79A544CBA4

Function 0183B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0183B41E

Memory Dump Source

Source File: 0000000A.00000002.2132460575.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1830000_S1qgnlqr1V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b31a31ad7263b396ee9c0534fb461b00a2c688891936fda8340b2bc8f7dc6573
Instruction ID: c5fa312630971e8203f50e09478050d22f95e502ca4376fdc244fe55885757ea
Opcode Fuzzy Hash: b31a31ad7263b396ee9c0534fb461b00a2c688891936fda8340b2bc8f7dc6573
Instruction Fuzzy Hash: 0711E0B5C002498FDB10DF9AD444ADEFBF4EF88314F14842AD519A7210D379A645CFA5

Function 03212B47 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 03212BA5

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2566db05e0f4c1685eb5da9b6469a5be4fdaf7e85b4671198f6264bc5ba67ed6
Instruction ID: 986890c1eb9614273b8541afc85d073cc3a6fcd4cae620d2e7d1c43bfc8b8bab
Opcode Fuzzy Hash: 2566db05e0f4c1685eb5da9b6469a5be4fdaf7e85b4671198f6264bc5ba67ed6
Instruction Fuzzy Hash: 1511F2B5800249DFDB20CF99D585BDEBBF4FB48310F10841AE918A3200C379A584CFA0

Function 03212B48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 03212BA5

Memory Dump Source

Source File: 0000000A.00000002.2134841501.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3210000_S1qgnlqr1V.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 524ef372efd5ba0d1a811d346a629ccc3288293c640b27c53543d66493e7e57a
Instruction ID: acb0080f7a60e2a02148bec26d63fcf927fc7bc0d830213f35003a20589393ae
Opcode Fuzzy Hash: 524ef372efd5ba0d1a811d346a629ccc3288293c640b27c53543d66493e7e57a
Instruction Fuzzy Hash: A211C2B58003499FDB10DF9AD585BDEBBF8EB48310F10845AE958A7200D379A584CFA5

Function 076433A0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 0764418F

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5f9689b9382e9767ffdd9b9758055f97474dc4ca4dccab1f6cfe44475969e123
Instruction ID: 176e133cf7a8d0de87e19feda3a51c03fbc2fbda80a5959367ad17b527083b8b
Opcode Fuzzy Hash: 5f9689b9382e9767ffdd9b9758055f97474dc4ca4dccab1f6cfe44475969e123
Instruction Fuzzy Hash: EF1125B18002498FDB10DF9AD445BEEFFF8EF49320F20846AE559A7241D778A944CFA5

Function 07644128 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 0764418F

Memory Dump Source

Source File: 0000000A.00000002.2156998776.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7640000_S1qgnlqr1V.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 11089bde84e1d0f1f851ad19c0e212036071deb884a09a27ef5fdcc60b3ba119
Instruction ID: 1dae3f63aec3aa864a873df0033e15010ae832d3a9354615624f078fa9417d25
Opcode Fuzzy Hash: 11089bde84e1d0f1f851ad19c0e212036071deb884a09a27ef5fdcc60b3ba119
Instruction Fuzzy Hash: 0B1113B18002898FDB20DF9AC445BEEFBF8EF49324F20846AD559A3241D779A544CFA5

Function 0154D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128691839.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_154d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe8f55ab2d090857095bd98216287bb1184531026dc9092bedd3ff5df98d976
Instruction ID: 368fe2969e93a06339488a94609c9af69e0a1f84a032f47c744d0f6a5348a17c
Opcode Fuzzy Hash: bfe8f55ab2d090857095bd98216287bb1184531026dc9092bedd3ff5df98d976
Instruction Fuzzy Hash: 5D210671500204DFDB05DF58D9C0B5ABFB5FBA8328F20C569E9090F256C37AE456C6A1

Function 0155D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128751584.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_155d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c47d6ae557fd60164b3b7cdf52a24cc8de0335336ea051199ec6143ac52e045
Instruction ID: af4f26353bb64c781164918730dcd1fe128f9bc4d3749ad4af0c4f6a5ae962f4
Opcode Fuzzy Hash: 5c47d6ae557fd60164b3b7cdf52a24cc8de0335336ea051199ec6143ac52e045
Instruction Fuzzy Hash: D9212572504200DFDB45DF98C5D0B26BBB5FB84324F20C96EDD094F252C33AD446CA61

Function 0155D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128751584.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_155d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ecd727eb3786c7c4b93904c042700b9f1dad8b7384da6c63bde78b38629b61
Instruction ID: eead40d9fd96753997b3fa31f4272bc3c8dbacc3789675f3b5cd858bb5d7163b
Opcode Fuzzy Hash: 84ecd727eb3786c7c4b93904c042700b9f1dad8b7384da6c63bde78b38629b61
Instruction Fuzzy Hash: 04210372504204DFDB55DF68D590B2ABFB5FB84314F20C96ADD094F266D33AD407CA61

Function 0155D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128751584.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_155d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3657610681940f2db977295645099b3b88bea93d6aab997b527742ab7d2e757c
Instruction ID: f640c180fb3b4f341dfdf355bd468782f3dc2e0cb0548de280b9fa845f33b5b1
Opcode Fuzzy Hash: 3657610681940f2db977295645099b3b88bea93d6aab997b527742ab7d2e757c
Instruction Fuzzy Hash: 292180755083849FDB03CF64D994B15BF71FB46214F28C5EAD8498F2A7D33A980ACB62

Function 0154D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128691839.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_154d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 3b1f1f329560a549899f9c1e88231689580b5190ef5cf3c30767f192de3aa7ec
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 9711CD76404240CFDB02CF54D5C4B5ABF71FB94224F24C6A9D9090A256C33AE45ACBA2

Function 0155D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128751584.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_155d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 68922cb4274a94e484c2cd00c5ecffac5ad6f029940c0411ec924a9855b1202a
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 7011A976504280DFDB42CF54C5D4B19BBB1FB84224F24C6AADC494B696C33AD44ACB62

Function 0154D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128691839.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_154d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4681a7e25216d889fc0c3f65dffc4619b378bf90a5f8a8ae6849c54f45d32281
Instruction ID: ec3e2b4a746db78e23d22ae50c62383e7c772eade5e568fe390d32b5c0c146be
Opcode Fuzzy Hash: 4681a7e25216d889fc0c3f65dffc4619b378bf90a5f8a8ae6849c54f45d32281
Instruction Fuzzy Hash: 8801A7710053849BE720CA99DD84B67BFF8FF56728F18C86AED090E287C2799840C671

Function 0154D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2128691839.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_154d000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bdbcf8902d8d29b3779636cf71fa18ea3bcdcf985454658ec8d31a4a77c111
Instruction ID: 524daa9231b9c4555707383bd3f94fdf682294b3449f584c66385fe40e1b85cc
Opcode Fuzzy Hash: f2bdbcf8902d8d29b3779636cf71fa18ea3bcdcf985454658ec8d31a4a77c111
Instruction Fuzzy Hash: DCF068714053849EE7118A1ADC84B66FFA8FF55628F18C45AED484E287C2795844CA71

Analysis Process: dnshost.exePID: 7388, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	143
Total number of Limit Nodes:	7

Executed Functions

Function 02160454 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02160696

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8b27426380db121d6e70ca1d0d9c1c520c2b1cf9449c5a11014f35a661b2addc
Instruction ID: e454ec3c1495344ea2f4d9e1898eeef1538892269dbb4a25836785cc5a718408
Opcode Fuzzy Hash: 8b27426380db121d6e70ca1d0d9c1c520c2b1cf9449c5a11014f35a661b2addc
Instruction Fuzzy Hash: 9D917D71D00219CFDF14CFA8C8447EEBBB2BF48314F0485AAD848A7294DB759995CF91

Function 02160460 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02160696

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 910012e74a4a73872a3b487c3d1e61cf33f632142bcd846d5ff6ed0232f44a12
Instruction ID: d4f4577cef8fbe379b81848bc8f6cd05de0c647aba6df2a840556680d5e5a270
Opcode Fuzzy Hash: 910012e74a4a73872a3b487c3d1e61cf33f632142bcd846d5ff6ed0232f44a12
Instruction Fuzzy Hash: 6A917D71D00219CFDF14CFA8C844BEEBBB2BF48314F0485A9D848A7294DB759995CF91

Function 0220590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022059C9

Memory Dump Source

Source File: 0000000B.00000002.2141862294.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2200000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 961c194482aa11c19474638df41d491328ff56fc177619304a16c9c95559cd1a
Instruction ID: 50ece980206eb8b2a54d60391585cc568f6f7f099c9cc24a3d0d735746ddb976
Opcode Fuzzy Hash: 961c194482aa11c19474638df41d491328ff56fc177619304a16c9c95559cd1a
Instruction Fuzzy Hash: DE41F4B0C0061DCFDB24CFA9C884ACDBBB5FF48304F60806AD419AB295DB75694ACF90

Function 022044C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022059C9

Memory Dump Source

Source File: 0000000B.00000002.2141862294.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2200000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cf918bd147841bebef5f98c5c9e576b20e303535d431d5852105c4215e92ee64
Instruction ID: 694d8aed3e2a9fedbcb8860b8ee8318369dcb1c06d2aaa80a500e8d16e95398a
Opcode Fuzzy Hash: cf918bd147841bebef5f98c5c9e576b20e303535d431d5852105c4215e92ee64
Instruction Fuzzy Hash: 0641F1B0C1071DCBDB24DFAAC884B8EBBF5BF48304F60806AD409AB255DB756949CF90

Function 02205A84 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2141862294.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2200000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21640be22076543612dd7af5de69cee1e488345e6371f783722d6ad12ffb01a3
Instruction ID: f45a61da8566c3b830cb7ad5389d164240cf74d985b3b510251c86e0f8250709
Opcode Fuzzy Hash: 21640be22076543612dd7af5de69cee1e488345e6371f783722d6ad12ffb01a3
Instruction Fuzzy Hash: 4331BC70804249CFDB11CBE8C8947ADBBF0BF06308F94414AC046AB2AAC779984ACF51

Function 02160006 Relevance: 1.6, APIs: 1, Instructions: 89
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 021600BE

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f6cac0e500551fe0f32df815cd52d697082281fbb532be897e4ba89a4cfe3825
Instruction ID: 0fd06f6e2fffca63e80b7cb464981dc0f8507f2392a5bfbc05d02e63f3c74632
Opcode Fuzzy Hash: f6cac0e500551fe0f32df815cd52d697082281fbb532be897e4ba89a4cfe3825
Instruction Fuzzy Hash: DF31C2718083888FCB01CFB9C8857EEBFF0EF4A314F1884AAD484A7292C7789545CB61

Function 021601D0 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02160268

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 17c2772584b98d1fc2b54a32403d7cf8c670547a2b4b69d28ff8895735a6322a
Instruction ID: 3bc111d335ea5ad3d47061e0a237eecfead25737f134662b26002c15c5694b53
Opcode Fuzzy Hash: 17c2772584b98d1fc2b54a32403d7cf8c670547a2b4b69d28ff8895735a6322a
Instruction Fuzzy Hash: B32125B19003599FCF10DFAAC985BEEBBF5FF48310F10842AE919A7250D7789954CBA0

Function 021601D8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02160268

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 90767ec3db8859c2aa9afaadfe49305ef124690757391afa44f619faacb522ea
Instruction ID: 0a0e879827531682b8bf3193727468507069c83b3e6c771c3ab49a97438f691a
Opcode Fuzzy Hash: 90767ec3db8859c2aa9afaadfe49305ef124690757391afa44f619faacb522ea
Instruction Fuzzy Hash: 3D2116B59003599FCF10DFAAC985BEEBBF5FF48310F10842AE919A7250D7789954CBA0

Function 0220D3B8 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0220D386,?,?,?,?,?), ref: 0220D447

Memory Dump Source

Source File: 0000000B.00000002.2141862294.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2200000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 87cf471ec23aa2ff18fee4d2393c0421b43b00de202ee1557c0221cf13eaa8a8
Instruction ID: 054beb0afd295f3541780fc33cc3e4b0b307015f940cfd2a872319edcd150989
Opcode Fuzzy Hash: 87cf471ec23aa2ff18fee4d2393c0421b43b00de202ee1557c0221cf13eaa8a8
Instruction Fuzzy Hash: D22103B59012499FDB10CFAAD984AEEFBF4FB48310F10805AE918A7250C378A945CFA0

Function 021602C0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02160348

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b403c1f47e78652e0d6f459e57b76249601854c04f54044f77cfbe66cc78f819
Instruction ID: 261a9f7a2d10bedcc5a075d4145c16ebce51b04fe0199cf56478aa421054c2d1
Opcode Fuzzy Hash: b403c1f47e78652e0d6f459e57b76249601854c04f54044f77cfbe66cc78f819
Instruction Fuzzy Hash: 262148B1C003499FCB10DFAAC985AEEBBF5FF48310F54842AE518A7250C7399954CBA0

Function 0220B388 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0220D386,?,?,?,?,?), ref: 0220D447

Memory Dump Source

Source File: 0000000B.00000002.2141862294.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2200000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1eee83c1548869fff365ed9cc7835b2e4242c6416af0df6343669aa5c4c1028c
Instruction ID: bbaea31c1087ae9b65418374fa55c97de05c7b24126ddbd04d17b3c5c8130393
Opcode Fuzzy Hash: 1eee83c1548869fff365ed9cc7835b2e4242c6416af0df6343669aa5c4c1028c
Instruction Fuzzy Hash: 8E21E5B5901248DFDB10CF9AD584ADEBBF4EB48310F14845AE914A7351D378A940CFA5

Function 021602C8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02160348

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 19a6e2cb2642a43534f4e096a719efc5340252db3b070635813ee840d00dc57b
Instruction ID: 3e9433fb6f7d2b697f5ec6fea1da1cb18e583d9e7748a895671ab2e84921a05d
Opcode Fuzzy Hash: 19a6e2cb2642a43534f4e096a719efc5340252db3b070635813ee840d00dc57b
Instruction Fuzzy Hash: DB2137B1C003499FCB10DFAAC984AEEFBF5FF48320F14842AE519A7250C7799940CBA0

Function 02160040 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 021600BE

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7ec9873ce9820aa4a7833a567f48de79b6644f61f59bc86b4d6e5beaa5788ac4
Instruction ID: 11ae9a48d993385f8fa2559d2f2356b15d08776918e7ff9d0c7fd87d00439d36
Opcode Fuzzy Hash: 7ec9873ce9820aa4a7833a567f48de79b6644f61f59bc86b4d6e5beaa5788ac4
Instruction Fuzzy Hash: D42115B19003099FDB10DFAAC5857AEBBF4FF48364F14842AD519A7240CB78A944CFA0

Function 0220B398 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0220B41E

Memory Dump Source

Source File: 0000000B.00000002.2141862294.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2200000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 71ff6a481904635e114f2568ea7adb4bbecb0da2ee90b0e756aaec3985eca1df
Instruction ID: 95db53f55abe29314846794825197ead8d7da9d31bddf8d876a89f29cdd87c0f
Opcode Fuzzy Hash: 71ff6a481904635e114f2568ea7adb4bbecb0da2ee90b0e756aaec3985eca1df
Instruction Fuzzy Hash: 732167B1C043898FDB10CFAAD484ADEBBF4EF48318F14806AC418A7651C338A546CFA0

Function 02160111 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02160186

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4819b3ce09dff8c9b5d2a758e4c00707626504723148db2e098665289a4b6a27
Instruction ID: ecc1c2d40e58087c8429d6fe64777cbc160a09a6a8db877455a78dfb608a9ebf
Opcode Fuzzy Hash: 4819b3ce09dff8c9b5d2a758e4c00707626504723148db2e098665289a4b6a27
Instruction Fuzzy Hash: 931159718002499FCB10DFAAC945AEFBFF5EF48310F108419E519A7250C779A954CBA1

Function 02160118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02160186

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a35c108ec13f7e1567f06bde9ded1ccd6b9b5bfac8bcd94052a19853e87977a7
Instruction ID: 3878533b6fde12dd155e1af5746ff4533d449cacd6df0af07c2ec89e84de9e5c
Opcode Fuzzy Hash: a35c108ec13f7e1567f06bde9ded1ccd6b9b5bfac8bcd94052a19853e87977a7
Instruction Fuzzy Hash: B011F6B59002499FCB10DFAAC945AEFBFF5EF48320F148419E519A7250C779A954CBA0

Function 0220B3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0220B41E

Memory Dump Source

Source File: 0000000B.00000002.2141862294.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2200000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2995377b4a8d19d78dfb2106e84c42f34ffe90e8024ac334c1b49296d6a1476a
Instruction ID: 2c1a3e823d31f16fd727f9c3f584953557b6f68c6318d9d85f65b3562a89571d
Opcode Fuzzy Hash: 2995377b4a8d19d78dfb2106e84c42f34ffe90e8024ac334c1b49296d6a1476a
Instruction Fuzzy Hash: AF110FB5C002498FCB20CF9AD484ADEFBF4EB88218F10845AD428A7254C379A645CFA1

Function 02162B41 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02162BA5

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cc0d44a69bd8b1ce6d11231dba799bee2c1e3880f1380c3290fbfc28846d19d0
Instruction ID: b8ff592707dcddc75b74916863aadb35bae25b943948acc8e1e5ac1b96ee4124
Opcode Fuzzy Hash: cc0d44a69bd8b1ce6d11231dba799bee2c1e3880f1380c3290fbfc28846d19d0
Instruction Fuzzy Hash: A01103B5800249DFCB20DF99C588BEEBFF4FB48314F10845AE918A7610C379A954CFA0

Function 02162B48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02162BA5

Memory Dump Source

Source File: 0000000B.00000002.2141270538.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2160000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ccc49927a46b8d18bdad060d65e3e4bed3c2dfd5c90fdbcf09e620293558efe1
Instruction ID: e1910b878f5ed08cbe03e1193af3c28e858eab5995f36d0e82bde9dcf4a1dfc0
Opcode Fuzzy Hash: ccc49927a46b8d18bdad060d65e3e4bed3c2dfd5c90fdbcf09e620293558efe1
Instruction Fuzzy Hash: B111D3B58003499FDB20DF9AC989BDEBBF8EB48314F108459D918A7610C379A944CFA1

Function 0071D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2135714873.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020c7d8b171f6eece8796860811c98039da041c265fa05ddce9f014682fa4204
Instruction ID: af4936c8e45f86b3341368d28f1afb29bd805c8d59c93be8dcea1e41a3d92a1d
Opcode Fuzzy Hash: 020c7d8b171f6eece8796860811c98039da041c265fa05ddce9f014682fa4204
Instruction Fuzzy Hash: 942124B1100244DFDB25DF58D9C0B56BF65FB98314F20C569ED090B296C33EEC86CAA2

Function 020CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2137703969.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20cd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468c7baa4fbf1d7e0c8310260c56f726b7492c84978f4c7e2a66b19b00eedc11
Instruction ID: cac13ce5ca2b4378ba934b14bee2340494eb448ddda688b32a85fb8d465d71c4
Opcode Fuzzy Hash: 468c7baa4fbf1d7e0c8310260c56f726b7492c84978f4c7e2a66b19b00eedc11
Instruction Fuzzy Hash: 8921D0B1604304DFDB15DF28D984B2ABBA5FB88324F30C57DE94A4B256C33AD407DA62

Function 020CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2137703969.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20cd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7ffdf9d558eadc8d9e6d604d6fa201854fd68214cb573b3dd1b2a490cc4304
Instruction ID: 048893a6a820e233df3d011e1a63349def39a0609341efe6d94b8e99f7bec4a8
Opcode Fuzzy Hash: 0a7ffdf9d558eadc8d9e6d604d6fa201854fd68214cb573b3dd1b2a490cc4304
Instruction Fuzzy Hash: 0521F2B1504304EFDB06DF24D9C0B2ABBA5FB98314F30C57DE9494B29AC33AD406EA61

Function 020CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2137703969.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20cd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2562407eb95167bf1890dde899fd602ac1c6721da5c47c5bd7fff5373ccfe046
Instruction ID: 902d07b0ec4f89bb39688559c798f95620377e90346fab7276e0b9c70f12ad34
Opcode Fuzzy Hash: 2562407eb95167bf1890dde899fd602ac1c6721da5c47c5bd7fff5373ccfe046
Instruction Fuzzy Hash: BD2153B55083809FCB13CF14D994715BFB1EB46324F24C5EAD8498B2A7C33A9856DB62

Function 0071D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2135714873.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: c35c4e0ca25b79ebcb0e30467210bf8120e6c6f28ff7727836076c9e384b95cb
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3C11CD72404280CFCB16CF04D5C4B56BF62FB98324F24C6A9DD090A256C33AE85ACBA2

Function 020CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2137703969.00000000020CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_20cd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 03dbf4ec295c83d5b8266034171b48d72d9197fc60c9770d3617a8526fc8a240
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 4711BEB5504340DFCB02CF10C5C4B19BBA1FB84214F24C6ADD8494B296C33AD40AEB61

Function 0071D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2135714873.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4315108df70cf071b0cfd6f51a5545c1627d8f44bac810cb1c768b083c754676
Instruction ID: aa2286b69ee94ad79a54ce773b99acf49640ffab8daa86ffcac86ce5ef8ab64f
Opcode Fuzzy Hash: 4315108df70cf071b0cfd6f51a5545c1627d8f44bac810cb1c768b083c754676
Instruction Fuzzy Hash: 2F01A7710043449AD7308A2DDD84BA6FF98EF55720F18C86AED191A2C6C37D9C80CE71

Function 0071D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2135714873.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd01d2d6c6b667340fb79780ec772d4d7703d453999989e73072804a2de091c0
Instruction ID: c2a5142756676613886f8c7dd87f72e8ed007c960a22fcaf161622b987555bb9
Opcode Fuzzy Hash: fd01d2d6c6b667340fb79780ec772d4d7703d453999989e73072804a2de091c0
Instruction Fuzzy Hash: E3F06271404344AEEB208A1ADC84BA2FFA8EF65734F18C45AED585A2C6C3799C44CBB1

Analysis Process: S1qgnlqr1V.exePID: 7560, Parent PID: 7348COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	6

Executed Functions

Function 0153D418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0153D496
GetCurrentThread.KERNEL32 ref: 0153D4D3
GetCurrentProcess.KERNEL32 ref: 0153D510
GetCurrentThreadId.KERNEL32 ref: 0153D569

Memory Dump Source

Source File: 0000000E.00000002.2191851500.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1530000_S1qgnlqr1V.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 75ca314a7db2ebdccb01c9a7ae031d5a6c8af3b76e79a06094a6cfb4c07c8371
Instruction ID: d659b19473762b373aea60815e020d6278f7da40b6c0f0bf12a7d9d5b50ee354
Opcode Fuzzy Hash: 75ca314a7db2ebdccb01c9a7ae031d5a6c8af3b76e79a06094a6cfb4c07c8371
Instruction Fuzzy Hash: BC5138B09003098FDB14DFAAD548B9EBBF5FF88314F248459E409A7360D778A944CBA5

Function 0153AD88 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0153AFDE

Memory Dump Source

Source File: 0000000E.00000002.2191851500.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1530000_S1qgnlqr1V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b7ea937342c39c976f34ea8a59ccc9b1250ec99ccc64ab38cc07772ec4aa010c
Instruction ID: 682cbb32381c99462fdc8f0c88bf0a5a18c7e0266db2e21355dd834d22ca3845
Opcode Fuzzy Hash: b7ea937342c39c976f34ea8a59ccc9b1250ec99ccc64ab38cc07772ec4aa010c
Instruction Fuzzy Hash: 247137B0A00B058FDB25DF2AD44475ABBF5FF88304F008A2DD59ADBA50DB75E845CBA1

Function 0153D660 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0153D6E7

Memory Dump Source

Source File: 0000000E.00000002.2191851500.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1530000_S1qgnlqr1V.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a45a2085382584eba26e781818d2a4f2acbe441e624f4bd74802a00f103fbf09
Instruction ID: 5d18984e622fbc8961f7159f0a699521cd32d8f22e370f63935a2a1af6a984ad
Opcode Fuzzy Hash: a45a2085382584eba26e781818d2a4f2acbe441e624f4bd74802a00f103fbf09
Instruction Fuzzy Hash: EC21E2B59002089FDB10CFAAD984ADEFFF8FB48310F14841AE918A7310C378A940CFA4

Function 0153AF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0153AFDE

Memory Dump Source

Source File: 0000000E.00000002.2191851500.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1530000_S1qgnlqr1V.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 10e306fd4877c21d605b2b98554ce22c3e993cea7a4dc22682d6a95fef7a73cc
Instruction ID: 2d612007cdeb130a182d1253c5e613c69b4486c83bfaac861c315b8bb777bd89
Opcode Fuzzy Hash: 10e306fd4877c21d605b2b98554ce22c3e993cea7a4dc22682d6a95fef7a73cc
Instruction Fuzzy Hash: 2B11EDB6C006498FDB10DF9AD444ADEFBF8FF88324F10842AD969A7650C379A545CFA1

Function 014ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2191448143.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14ed000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e0d571215ffd1039a20c909c0db5dabf55d82639ef9df2db96fad7234954d6
Instruction ID: d3680a0b144b97a2c0e684f7ceef700b41d41e9c4068ee96b7ccca5f8aaa1e16
Opcode Fuzzy Hash: 31e0d571215ffd1039a20c909c0db5dabf55d82639ef9df2db96fad7234954d6
Instruction Fuzzy Hash: FF2125B1904200DFCB15DF68D988B26BFA5FB84319F28C56ED90A0B366C33AD407CA61

Function 014ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2191448143.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14ed000_S1qgnlqr1V.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c8d376d1e593361b5b67634f6e648e200a9afceee1c3aaf62c0cb408ea0c9b
Instruction ID: b2d2bd8cd13cabe33f6c2ce66c25eae7e537fb2efe0f5113b2621ce1419c4866
Opcode Fuzzy Hash: 97c8d376d1e593361b5b67634f6e648e200a9afceee1c3aaf62c0cb408ea0c9b
Instruction Fuzzy Hash: E02183755093808FDB03CF24D594716BFB1EB46214F28C5DBD8498B267C33A980ACB62

Analysis Process: dnshost.exePID: 7576, Parent PID: 7388COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	6

Executed Functions

Function 0174D418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0174D496
GetCurrentThread.KERNEL32 ref: 0174D4D3
GetCurrentProcess.KERNEL32 ref: 0174D510
GetCurrentThreadId.KERNEL32 ref: 0174D569

Memory Dump Source

Source File: 00000010.00000002.2189694579.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1740000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 73875e7c243b976cbfdf01601d09719c5bf041fc422277ec705f3f7ab70fa6be
Instruction ID: 4acfc245a3c3b4eacf33df4885aef5295b3505e7699a144c8e91328646b59e50
Opcode Fuzzy Hash: 73875e7c243b976cbfdf01601d09719c5bf041fc422277ec705f3f7ab70fa6be
Instruction Fuzzy Hash: 585134B09003098FDB18DFA9D548BAEFBF1FF48314F248059E419A7260D778A984CB65

Function 0174AD88 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0174AFDE

Memory Dump Source

Source File: 00000010.00000002.2189694579.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1740000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 76d690badc9efbee1fe45c6d9f04307cca6d35171874c16764e6f16db68de3f9
Instruction ID: 93ff943a39e97c2be428fe490d2efd645f1eabf534b5a82d43a9e51e0adbc105
Opcode Fuzzy Hash: 76d690badc9efbee1fe45c6d9f04307cca6d35171874c16764e6f16db68de3f9
Instruction Fuzzy Hash: C5713370A00B058FEB24DF29D44579AFBF5FF88204F008A2DD59AD7A54DB35E845CB90

Function 0174D660 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174D6E7

Memory Dump Source

Source File: 00000010.00000002.2189694579.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1740000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b12eac142230a0123145068504191f26c2627827f1280fb7b2fce1cc16cedb6
Instruction ID: 31b023812da0a5e04e5a05519cac110af80f69e70c2eb42619c29f0de54480d6
Opcode Fuzzy Hash: 9b12eac142230a0123145068504191f26c2627827f1280fb7b2fce1cc16cedb6
Instruction Fuzzy Hash: 1F21C2B59002499FDB10CFAAD984ADEFFF9FB48310F14841AE958A3350D379A944CFA5

Function 0174AF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0174AFDE

Memory Dump Source

Source File: 00000010.00000002.2189694579.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1740000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0b73438dc0370519e24829583ebf6090d5a864fb24b92ed8650f728c7349a6c4
Instruction ID: 1eddf805b55072b15745bae7b2a2c3153a6acdc4519c705de4a820a59156299f
Opcode Fuzzy Hash: 0b73438dc0370519e24829583ebf6090d5a864fb24b92ed8650f728c7349a6c4
Instruction Fuzzy Hash: E311EDB6C002498FDB10DF9AC444BDEFBF8EF88324F10842AD929A7650C379A545CFA1

Function 016CD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2189383870.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_16cd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4172eb0bd1d44311003861b36fb8aaa2097b06295953d082d171461e857bfe
Instruction ID: b1e0db551cee0fa90fc934c9f2df076aee33c2a6eef18ba0935b2de4fba9dbd9
Opcode Fuzzy Hash: ed4172eb0bd1d44311003861b36fb8aaa2097b06295953d082d171461e857bfe
Instruction Fuzzy Hash: 1C21F171504200EFDB06DF98D9C0B26BF65FB98718F60C57DE90A0A256C33AD456CAE2

Function 016DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2189469320.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_16dd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4596b419fe66ffd22a4f00cb3bbb431c91b240fe8c6acad60604590b5103ff6b
Instruction ID: 9c4ccea1598097332be853d1a62a049240601b143819ae51594e090b0380e598
Opcode Fuzzy Hash: 4596b419fe66ffd22a4f00cb3bbb431c91b240fe8c6acad60604590b5103ff6b
Instruction Fuzzy Hash: 0B210071A04200DFCB15EF68D980B26BF65EBC8314F20C569D90A4B396C33AD407CAA1

Function 016DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2189469320.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_16dd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be25f8a2123b6a5b1a30553740726ea63a324a9f2af065f1d9a578103d465169
Instruction ID: f17bb0fa1e8774c0660c002a6b957d0eafd44e20914559917470e17ce56b9a23
Opcode Fuzzy Hash: be25f8a2123b6a5b1a30553740726ea63a324a9f2af065f1d9a578103d465169
Instruction Fuzzy Hash: 982192755083809FCB03DF64D994711BF71EB86214F28C5EAD8498F2A7C33A980ACB62

Function 016CD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2189383870.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_16cd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 0f1a4fc4dd0af56cc5932ad5d27c0df053e7346947b7a13cba742fe1b5b61585
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6511DF72504240DFDB02CF48D9C4B26BF61FB94324F24C5ADD9090B257C336D45ACBA2

Analysis Process: dnshost.exePID: 8096, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	213
Total number of Limit Nodes:	7

Executed Functions

Function 06E42CA0 Relevance: 1.6, APIs: 1, Instructions: 58
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06E42D27

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: eec622e914d6e94fd196786dbe21b8e351c2d3be929435aff32a3f8e2504f3c2
Instruction ID: 52e31932bd1b1cb78205cb20ffdb450934e559786b0fbe5acbf1da540fd0ad38
Opcode Fuzzy Hash: eec622e914d6e94fd196786dbe21b8e351c2d3be929435aff32a3f8e2504f3c2
Instruction Fuzzy Hash: 4221BFB59013499FCB10DF9AD885ADEBBF5FF48314F10842AE918A7210D375A944CFA5

Function 06E42CA8 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06E42D27

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e9fb460bcb7f4cafb722176c14facd94981d8838af5da6ae8e97c65a118b22b3
Instruction ID: a1ba44d58e44ab846863611fe71d4ccc2c8a5bf18cd68d704e8b4aab73e04d9e
Opcode Fuzzy Hash: e9fb460bcb7f4cafb722176c14facd94981d8838af5da6ae8e97c65a118b22b3
Instruction Fuzzy Hash: EB21BDB59003499FCB10DF9AD884ADEBBF4FF48310F10842AEA18A7210C379A944CFA5

Function 070F02BC Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070F04FE

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a743ffdab3529ce28b7ca62bcf4ad252d1893ea813972c7c3ed4ed5034bd34ef
Instruction ID: 6edca21ed2872afe731d15fd47d4fc8189fa0822d7a631caea6202682d8f6f72
Opcode Fuzzy Hash: a743ffdab3529ce28b7ca62bcf4ad252d1893ea813972c7c3ed4ed5034bd34ef
Instruction Fuzzy Hash: 15A16EB1D0021ACFDB14DF68C941BEEBBF2BF48310F048269D908A7691DBB49985CF91

Function 070F02C8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070F04FE

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3c4caf2dd670a5f23a68ffb849e752e6fdef81cc46670b29b091a46621aace72
Instruction ID: 86cd693128925f3f642808910f7310318e8cc6f67913e538f6372156ac644a98
Opcode Fuzzy Hash: 3c4caf2dd670a5f23a68ffb849e752e6fdef81cc46670b29b091a46621aace72
Instruction Fuzzy Hash: 0C916EB1D0021ACFDB14DF68C941BEEBBF2BF48310F048269D918A7295DBB49985CF91

Function 00ED44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00ED59C9

Memory Dump Source

Source File: 00000013.00000002.2222646901.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ed0000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bc8762aa670158a53ff14f3a7bafcdf7008484ba960ed0e0b6664655b801b417
Instruction ID: 8b4139f1e8d4e836eec16445dbba7c553ef58831dfae596dfffeba723fc03e42
Opcode Fuzzy Hash: bc8762aa670158a53ff14f3a7bafcdf7008484ba960ed0e0b6664655b801b417
Instruction Fuzzy Hash: 1D41EDB1C0061DCFDB24DFA9C884B9EBBB5FF89304F20806AD418AB255DB756946CF90

Function 070F0023 Relevance: 1.6, APIs: 1, Instructions: 84
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070F00D0

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 47bccd4163af8487cf8c2548fcb123300d8f57c55c58141390ae10ff276dde92
Instruction ID: 7496735090f13d7aca1edbddd745650e98e97c9099d06fe4137aa0780afa5727
Opcode Fuzzy Hash: 47bccd4163af8487cf8c2548fcb123300d8f57c55c58141390ae10ff276dde92
Instruction Fuzzy Hash: 1B3168B19003599FCB10CFA9C881BEEBFF5FF48310F14842AE958A7251C7789944CBA1

Function 070F0040 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070F00D0

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: aa825db43d45cc25d5b1c55d96e8b1da41ff43c2fe35a08b8f048e8ff4f73cea
Instruction ID: aff0d6628acf00edfab54c9f54783632d7cd344e1afde9cef16407301262b5ec
Opcode Fuzzy Hash: aa825db43d45cc25d5b1c55d96e8b1da41ff43c2fe35a08b8f048e8ff4f73cea
Instruction Fuzzy Hash: EC2139B19003499FCB10DFAAC885BEEBBF5FF48310F108429E919A7251C7799944CBA0

Function 070F0128 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070F01B0

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9c299431c5f1c4ec064aa6579e8bfc136b1077e720ebdf53b9622abc8866eabd
Instruction ID: 6a57ed6ec63eed715449ae4e7daa84d504ca4f49bbf69c24991012b2ccbc7ea1
Opcode Fuzzy Hash: 9c299431c5f1c4ec064aa6579e8bfc136b1077e720ebdf53b9622abc8866eabd
Instruction Fuzzy Hash: 642125B1C003499FDB10DFAAC885AEEBBF5FF48310F10842AE919A7250D7789944CBA5

Function 00EDB388 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EDD386,?,?,?,?,?), ref: 00EDD447

Memory Dump Source

Source File: 00000013.00000002.2222646901.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ed0000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b31b914c6d7028580f6d46cb25269930387aac5fd22e76859639cf97adc9d8a3
Instruction ID: de2629d8e984285b205a6925f0ef224fb9ae23712601e8aba116d3d82daa7d77
Opcode Fuzzy Hash: b31b914c6d7028580f6d46cb25269930387aac5fd22e76859639cf97adc9d8a3
Instruction Fuzzy Hash: 0121E3B59002489FDB10CF9AD984AEEBBF9EB48314F14841AE918B7310D379A950CFA5

Function 06E4FE42 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E4FEC6

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 97b5cb1e2fc175c2e3f4386f2a036ac103ab463e9c2a3739ac8797eaec1c9767
Instruction ID: 9930bf4dba65e67600a97a7e17b217f96c49ff3ad28bad9066cf4388f0f61007
Opcode Fuzzy Hash: 97b5cb1e2fc175c2e3f4386f2a036ac103ab463e9c2a3739ac8797eaec1c9767
Instruction Fuzzy Hash: BC213AB1D003098FDB50DFAAC8857EEBBF4EF88324F148429D519A7241C778A544CFA1

Function 06E4FE48 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E4FEC6

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d379d42033272e7d0f81a7652dd9dd2d8f74e1d0c9ca0e3d08ea1f644be8454f
Instruction ID: 52e31a06399c25c53a659db6e6581d0d21dbb4017a08113c33eae7538159fbf4
Opcode Fuzzy Hash: d379d42033272e7d0f81a7652dd9dd2d8f74e1d0c9ca0e3d08ea1f644be8454f
Instruction Fuzzy Hash: B4213BB1D003098FDB50DFAAC5857EEBBF4EF88324F14842AD519A7241CB78A944CFA1

Function 070F0130 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070F01B0

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 583b52ceea2870e67428af1946d187229b3469fd51462926ba803fc7b5fb11e1
Instruction ID: f4960717803694f283449bf1f3d679babc20f6354873b61cfa30f6a88084f01b
Opcode Fuzzy Hash: 583b52ceea2870e67428af1946d187229b3469fd51462926ba803fc7b5fb11e1
Instruction Fuzzy Hash: 682137B1C003499FDB10DFAAC880AEEFBF5FF48310F10842AE519A7250D7389944CBA1

Function 00EDD3BF Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EDD386,?,?,?,?,?), ref: 00EDD447

Memory Dump Source

Source File: 00000013.00000002.2222646901.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ed0000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 34b600578fcccc08ecb79db19e1ef4951d438e0301927e5b1b92fc2006452c8b
Instruction ID: 7e922d6e75d02aaa3888573269635c6023c1c6836855cdc2c4bd238b637e5297
Opcode Fuzzy Hash: 34b600578fcccc08ecb79db19e1ef4951d438e0301927e5b1b92fc2006452c8b
Instruction Fuzzy Hash: D521C2B59002489FDB10CFAAD984ADEBFF5FB48310F14841AE918A7350D379A945CFA1

Function 06E4FF18 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E4FF8E

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 557547ef81a4b18212ff7c87500c05be19220ee89760642fd3496dff314cda99
Instruction ID: 7583a2b975e4cc768407d25735f6ca7c3d8e9a42025e182181459dcaf8f6a61b
Opcode Fuzzy Hash: 557547ef81a4b18212ff7c87500c05be19220ee89760642fd3496dff314cda99
Instruction Fuzzy Hash: 7F1159718002489FCB10DFAAC845BDFBBF5EF88314F248419E519A7250C7759540CBA1

Function 06E44078 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06E440F0

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: ee3496f94a8622877ca4053069ef7e8f87c533f124dedbaea3f802a2e8459313
Instruction ID: b3f2801e68e1b45ae3a4dd6f1bb971d9843ea9416eea06d65ecbfda5f63ff114
Opcode Fuzzy Hash: ee3496f94a8622877ca4053069ef7e8f87c533f124dedbaea3f802a2e8459313
Instruction Fuzzy Hash: 0E1142B1D002599BCB10DF9AD844B9EFBF4FB48320F10811AE818B3240D378A554CFA1

Function 06E4FF20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E4FF8E

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9cb9d838c48d927c143ca858cf65e658246a2b54871b17c95b5b49548aed1d38
Instruction ID: d950d412ab714ece0408ddbd2b56e72334358ad95a3d44207c541e421017f98a
Opcode Fuzzy Hash: 9cb9d838c48d927c143ca858cf65e658246a2b54871b17c95b5b49548aed1d38
Instruction Fuzzy Hash: 5E1137719002499FCB10DFAAC845AEFBFF5EF88324F248419E519A7250C779A540CFA1

Function 06E4F958 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E4F9C2

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d55ceaf995ad1f62e027d99bbaa2918bc72aad0553984a0c1a4bfa64fbaee4c1
Instruction ID: 162f08afcfea1df0ff6872c4678f31edd2b0e2b5c6b0244085866f25c8747516
Opcode Fuzzy Hash: d55ceaf995ad1f62e027d99bbaa2918bc72aad0553984a0c1a4bfa64fbaee4c1
Instruction Fuzzy Hash: D81149B19002488BCB20DFAAC8457EFBBF4EB88314F248419D519A7240CB79A540CBA1

Function 06E44080 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06E440F0

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 5bd4a51da1f6bcf0cbca030c1a5cbc7f4be494251e20ba9e0abd60cfca7be22b
Instruction ID: 605be84ea02f9f6946123ee06e24c04431534cb2f7c1e3d865472c72c2cebbde
Opcode Fuzzy Hash: 5bd4a51da1f6bcf0cbca030c1a5cbc7f4be494251e20ba9e0abd60cfca7be22b
Instruction Fuzzy Hash: 4B1120B1D006599BCB10DFAAD844B9EFBF4FB48320F10812AD918A3240D379A954CFA1

Function 06E4F960 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E4F9C2

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5b15e3c8623cbb615c6bacd3e2779c197476aa931c1756c30052c1b1bdbdd601
Instruction ID: c087427e3eaf89d3b39aad40f500203001b7471705311717a50be609190885e3
Opcode Fuzzy Hash: 5b15e3c8623cbb615c6bacd3e2779c197476aa931c1756c30052c1b1bdbdd601
Instruction Fuzzy Hash: 91113AB1D003488FDB10DFAAC8457AFFBF5EF88724F20841AD519A7250CB79A544CBA1

Function 070F26C0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070F2725

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 64c7197aae05119b13904c9b72fb68baa5805c6fc8af3d13fa76f516b110a186
Instruction ID: 6c43e2981ad2c4285b26e7fe9d61f7cef965ec7ef57651f0872de423bbf5a7fb
Opcode Fuzzy Hash: 64c7197aae05119b13904c9b72fb68baa5805c6fc8af3d13fa76f516b110a186
Instruction Fuzzy Hash: 5C11F5B58003499FDB10DF9AD985BDEBBF8FB48310F10841AE558A7600C379A544CFA1

Function 00EDB3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EDB41E

Memory Dump Source

Source File: 00000013.00000002.2222646901.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ed0000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fb5c7b065c5bfecaa1a95584da13c46d6177b25a4e82babe4941b43c0d66b25f
Instruction ID: 7ec3a9cfb52c18386b0a2058ba7858134f3d89c91d9f5656a24363bf58883e02
Opcode Fuzzy Hash: fb5c7b065c5bfecaa1a95584da13c46d6177b25a4e82babe4941b43c0d66b25f
Instruction Fuzzy Hash: 9E110FB5C002498FCB10CF9AC444ADEFBF4EB88314F10841AD428B7310D379A545CFA1

Function 00EDB3B7 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EDB41E

Memory Dump Source

Source File: 00000013.00000002.2222646901.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_ed0000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 60f4ac2f75cbc9168af913e829aac02017358e5dcac5fd178a0b0e72954e0a24
Instruction ID: b2af94383b968a29b704622dfe564697bab5adbf17b7d14154f9fc90c1ec87de
Opcode Fuzzy Hash: 60f4ac2f75cbc9168af913e829aac02017358e5dcac5fd178a0b0e72954e0a24
Instruction Fuzzy Hash: 74110FB5C002498FCB10CF9AD444ADEFBF4EB88314F10841AD428B7310D379A546CFA1

Function 070F26C8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070F2725

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5e784e2f0c58d08f10861fee59da80df091f5d1fc84e6b54a77e46463959e881
Instruction ID: 2bdd6cdcc119f4420c90f3a90ed8d07be3e7e28ff344081b52b5000ec730db9b
Opcode Fuzzy Hash: 5e784e2f0c58d08f10861fee59da80df091f5d1fc84e6b54a77e46463959e881
Instruction Fuzzy Hash: 891100B58003499FDB10DF9AC884BDEBBF8FB48320F10841AE558A7600C379A944CFA1

Function 070F4201 Relevance: 1.3, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,070F40B9,?,?), ref: 070F4260

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8c1595b8f8f238fe811f0795e9a4a5587e7bcdc20fa5e415b2e5d99f25e4c700
Instruction ID: 8d8b6cd5fd5c642e527d7f503a2552048660835255b6afaa6347ea184d259082
Opcode Fuzzy Hash: 8c1595b8f8f238fe811f0795e9a4a5587e7bcdc20fa5e415b2e5d99f25e4c700
Instruction Fuzzy Hash: 981125B58002499FCB20DF9AD845BDEBBF4FB48320F20851AE958A7740D739A584CFA5

Function 06E43384 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06E4418F

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 317e2b7e9a99db1f730c31d2d1399e3a50f82046c53d1f150d43ba67d7509723
Instruction ID: a3dae746cc8fc9b44c502d8f215435776f83e288397a8d1249678017f8a3e16b
Opcode Fuzzy Hash: 317e2b7e9a99db1f730c31d2d1399e3a50f82046c53d1f150d43ba67d7509723
Instruction Fuzzy Hash: E11113B1900349CFDB10DF9AD845BEEBBF8EB58324F108469E518A3750D378A944CBA5

Function 06E44128 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06E4418F

Memory Dump Source

Source File: 00000013.00000002.2239503845.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6e40000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 59be2d80691f3f5a00df5440da25e010b4c1ec4cc34fde7bc61552290de9ef78
Instruction ID: 784bdd940ce576ec25cc980b5376d92a34cd12012d09198cf02031e2fd0e539a
Opcode Fuzzy Hash: 59be2d80691f3f5a00df5440da25e010b4c1ec4cc34fde7bc61552290de9ef78
Instruction Fuzzy Hash: 1C1113B1900249CFDB10DF9AC885BDEBBF8EB48324F108419E558A3651D378A544CFA5

Function 070F3588 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,070F40B9,?,?), ref: 070F4260

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fa9daad06855fc78710dd3d25a2ff72a8a1d64bb13cf8237ca4fa2c996147317
Instruction ID: d1a73f6a015ebc93fb2558715644e8402431773955a603d0aa35221a97635431
Opcode Fuzzy Hash: fa9daad06855fc78710dd3d25a2ff72a8a1d64bb13cf8237ca4fa2c996147317
Instruction Fuzzy Hash: 6F1128B58002498FDB50DF99C545BDEBBF4EB48320F108429EA58A7740D338A544CFA5

Function 070F35C4 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,070F40B9,?,?), ref: 070F4260

Memory Dump Source

Source File: 00000013.00000002.2239903976.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_70f0000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: df46e41a66f869dbe095189a422c848ac80fc605a1bb51d7d11aa3373daa55c1
Instruction ID: 53cb8b757107d9aa1576082d9d0a73a7e49ea87ba6fad6dc073baacd7ab07bc1
Opcode Fuzzy Hash: df46e41a66f869dbe095189a422c848ac80fc605a1bb51d7d11aa3373daa55c1
Instruction Fuzzy Hash: 86113AB5800349DFDB50DF99C445BDEBBF4EB48320F108529EA58A7740D338A544CFA5

Function 00C5D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222150552.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_c5d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac4ec146312c2c2321f3261699e98b188cee521b6052d1518344c370f03d2c9
Instruction ID: f91532b1394f4ef50878b4cbaed7341a21fadc69c01b96ebd67e4b13e5768661
Opcode Fuzzy Hash: fac4ec146312c2c2321f3261699e98b188cee521b6052d1518344c370f03d2c9
Instruction Fuzzy Hash: DD210679500304DFDB25DF14D9C0B26BF65FB98315F20C569ED0A0B256C33AE89ADAA2

Function 00E7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222362410.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e7d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3532ac4f49e445f3ad19b9505c13bfdacf33edcb0ea988ad0971b5c0141a6700
Instruction ID: 0702c81d606aadff1135bb592db017d8bb8a075c4d59f5971949c1d1e5191d22
Opcode Fuzzy Hash: 3532ac4f49e445f3ad19b9505c13bfdacf33edcb0ea988ad0971b5c0141a6700
Instruction Fuzzy Hash: 3A21D3716082449FDB05DF54D980B26BB75FF84318F24C569D94D5B266C33AD806CA61

Function 00E7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222362410.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e7d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf299bc3392374c93725399128bedd34ec3f7abd9939c41e25e81d82fd1635f2
Instruction ID: 2d7307171215746a06b869c67dd5ee687af6e4095cb1aad4559a2d67d6f9ba8c
Opcode Fuzzy Hash: bf299bc3392374c93725399128bedd34ec3f7abd9939c41e25e81d82fd1635f2
Instruction Fuzzy Hash: 1621D075608204DFCB15DF24D984B26BB76EF88318F24D569D90E5B296C33AD807CA61

Function 00E7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222362410.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e7d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91dbc26c27c3ab59455de13ef2fb5314d06a9b139edcb0188f599c62466afc7
Instruction ID: eeeffdd5f4d8fa9b8ae7f7a03818ee7fac5cd93e5e80623afa229c35a84d53da
Opcode Fuzzy Hash: a91dbc26c27c3ab59455de13ef2fb5314d06a9b139edcb0188f599c62466afc7
Instruction Fuzzy Hash: CD21507550D3808FDB12CF24D994715BF72EF46314F28C5EAD8498B6A7C33A980ACB62

Function 00C5D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222150552.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_c5d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 3bf3c78d6ac168233dc595f537484cee712c3a9bb1d17307159235371fba6097
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3C11CD76404340CFDB16CF00D5C4B16BF62FB94324F24C6A9DD4A0A256C33AE99ACBA2

Function 00E7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222362410.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e7d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: ef8942525b34bbf5cae4d365d178887e9c02ef3e65a04799aa9497a6263940f3
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 0411BE75508280DFCB02CF50C9C4B15BF71FF84318F24C6A9D8494B266C33AD81ACB61

Function 00C5D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222150552.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_c5d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c84625264310697be2a1b1896cf1a72ece669c62c1c7ea73c62c097f6eb1af7
Instruction ID: ca88458a81a9c7bfa909bdaac194beb791d68a9ea5e9791af876a90df2ceca66
Opcode Fuzzy Hash: 7c84625264310697be2a1b1896cf1a72ece669c62c1c7ea73c62c097f6eb1af7
Instruction Fuzzy Hash: 9C012035004344DDE7304B16CC84B57FF9CEF59362F18C459ED1A0A25AC3799884C675

Function 00C5D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2222150552.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_c5d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74740598df9129e4ada467cddd580ed325b2107bb81041035b69b3e960520ba
Instruction ID: f9c94322bec69129a129627c4ab28ebe973a9efacb170b498e35342aba82270f
Opcode Fuzzy Hash: c74740598df9129e4ada467cddd580ed325b2107bb81041035b69b3e960520ba
Instruction Fuzzy Hash: E7F0F675004344DEE7208B16DC84B62FFA8EF55775F18C45AED190B29AC3799C44CAB5

Analysis Process: dnshost.exePID: 8140, Parent PID: 8096COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	127
Total number of Limit Nodes:	13

Executed Functions

Function 016CD408 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016CD496
GetCurrentThread.KERNEL32 ref: 016CD4D3
GetCurrentProcess.KERNEL32 ref: 016CD510
GetCurrentThreadId.KERNEL32 ref: 016CD569

Memory Dump Source

Source File: 00000014.00000002.2282399219.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16c0000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fb2694cfac44568ac431c772a7a9258833eb91cee6d9fdd59efc86e93d41a713
Instruction ID: 93f29459c591b58b2e24e14f4f992a1f65e26b08c7626eea4bcd459b818fd05e
Opcode Fuzzy Hash: fb2694cfac44568ac431c772a7a9258833eb91cee6d9fdd59efc86e93d41a713
Instruction Fuzzy Hash: AF5126B09006098FDB18DFA9D948BAEBBF5EF48314F24C06DD119A7390D738A944CFA5

Function 016CD418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016CD496
GetCurrentThread.KERNEL32 ref: 016CD4D3
GetCurrentProcess.KERNEL32 ref: 016CD510
GetCurrentThreadId.KERNEL32 ref: 016CD569

Memory Dump Source

Source File: 00000014.00000002.2282399219.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16c0000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e2a8f5a91661c51828937193f55b918aafcf26a278a032e86aff1fc4b5326a4d
Instruction ID: 3b9f8ea3ea397c7c032ef309ecb68bb4baae3c27877b71e7e6987c7fd6d634f9
Opcode Fuzzy Hash: e2a8f5a91661c51828937193f55b918aafcf26a278a032e86aff1fc4b5326a4d
Instruction Fuzzy Hash: 8D5136B09003098FDB14DFA9D948BAEBBF5EF48314F24C06DD119A7350D738A944CBA5

Function 016CAD88 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016CAFDE

Memory Dump Source

Source File: 00000014.00000002.2282399219.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16c0000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0562d22dee89b8c624b932993a49f6c357708e5bc88063904abf8474c8cc2d46
Instruction ID: 56b75942f480a39dc53cc56fd09115b03f80ed6bbb53f9f635b3cb4df698628a
Opcode Fuzzy Hash: 0562d22dee89b8c624b932993a49f6c357708e5bc88063904abf8474c8cc2d46
Instruction Fuzzy Hash: EB712470A00B098FDB24DF6AD84476ABBF5FF88604F008A2DD58697B50EB74E845CB90

Function 05790560 Relevance: 1.6, APIs: 1, Instructions: 68
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 057905E5

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dc231b37e98746546105ed5bce2701e03cd0432e267b9638b66479cbeb249708
Instruction ID: 7eb5751b8971dffa9a3fbec91401b1639e2ec2cc8722150a5b21c960b13117c8
Opcode Fuzzy Hash: dc231b37e98746546105ed5bce2701e03cd0432e267b9638b66479cbeb249708
Instruction Fuzzy Hash: 6A216B75808389CFDB11CF5AD845BDABFF4AF0A310F04409AD584EB252C2389544DBA1

Function 016CD658 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016CD6E7

Memory Dump Source

Source File: 00000014.00000002.2282399219.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16c0000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dc3aeb89bd1efed970bb365b8e1a800d105c9fd352eadeafda7a73c852423ba2
Instruction ID: 151d4ab551401db885d50eb7fcea817ea8569ddf4756b1aec00df598833dfb35
Opcode Fuzzy Hash: dc3aeb89bd1efed970bb365b8e1a800d105c9fd352eadeafda7a73c852423ba2
Instruction Fuzzy Hash: 3C21E4B59002499FDB10CF9AD985AEEFFF9FB48310F14841AE918A7350C379A944CFA1

Function 016CD660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016CD6E7

Memory Dump Source

Source File: 00000014.00000002.2282399219.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16c0000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2b5b5e901a09cb63d65be91c342213744fd547583ae18427388fab7fce796b24
Instruction ID: 9d18278727defdab5e0e6a7ff505e29198cecf54ff7a1cef6f3fcc8bd4b9d7f7
Opcode Fuzzy Hash: 2b5b5e901a09cb63d65be91c342213744fd547583ae18427388fab7fce796b24
Instruction Fuzzy Hash: 9021C4B59002599FDB10CF9AD984AEEBFF9FB48310F14841AE918A7350D378A944CFA5

Function 05790588 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 057905E5

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0bb59ca0e77fdec2c4c2d13f7d5a334f1110df1da080057bc97866d0431b0bbe
Instruction ID: b52dd8eef114fe3608890ed50100b8ece8258ff630bf3065ed260d75b6fc0d04
Opcode Fuzzy Hash: 0bb59ca0e77fdec2c4c2d13f7d5a334f1110df1da080057bc97866d0431b0bbe
Instruction Fuzzy Hash: E911F5B5800349DFDB10CF9AC849BEEBBF8EB48320F108419E558A7650D378A584CFA5

Function 05791758 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 057917B5

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: dc457baed5eaa0c4026f8b9b4ecc41b4702beb0fb84284b1e909191d90750aaf
Instruction ID: 41e367b19ea97022ff195cc71d438ff2df8b9af76c271425a49c50d704a229fa
Opcode Fuzzy Hash: dc457baed5eaa0c4026f8b9b4ecc41b4702beb0fb84284b1e909191d90750aaf
Instruction Fuzzy Hash: E11142B480024A8FCB20DF9AD588BDEBBF8EB48364F208419D519A7310D338A544CFA6

Function 05792AD9 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 05792B3D

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 719f9452a7428d91e0791fd13df12b93f8655b25603548c525affbc3409f7766
Instruction ID: 28892b4dbccc667e6ee38726187ad25202ce57b5467b41591b8059f26b772fda
Opcode Fuzzy Hash: 719f9452a7428d91e0791fd13df12b93f8655b25603548c525affbc3409f7766
Instruction Fuzzy Hash: 5111F2B5C046499FCB24EF9AE844BDEFBF8EB48314F10841AD919A7201D378A545CFA5

Function 016CAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016CAFDE

Memory Dump Source

Source File: 00000014.00000002.2282399219.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_16c0000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 56349c52f2a7580000ccddf392c92afd30d56c549ffefdaf4c1504c404a48673
Instruction ID: 8ef88d3a72a90bc6c501a656073bd9c60a3dc2f5f88051d21d157daeba759000
Opcode Fuzzy Hash: 56349c52f2a7580000ccddf392c92afd30d56c549ffefdaf4c1504c404a48673
Instruction Fuzzy Hash: 3C1110B5C002498FDB10DF9AC844ADEFBF4EF88714F10841AD928A7640D379A545CFA1

Function 05791760 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 057917B5

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3488471a2f33072ac34291cb2215f7e478777026ac4fab67e76189568e2fc6d6
Instruction ID: c696f6a0d68a873f53cd60f8cf5fa816080d6fc59ef86c7331dfa79ee88eb967
Opcode Fuzzy Hash: 3488471a2f33072ac34291cb2215f7e478777026ac4fab67e76189568e2fc6d6
Instruction Fuzzy Hash: D511F0B58003498FDB20DF9AD588BDEFBF8EB48324F20845AD519A7750C379A944CFA5

Function 05792AE0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 05792B3D

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 9850a9585e99c11830cff42b8740ea4ec9693d5dc0939d650308ba4466d41610
Instruction ID: 1d1197fc86c1dd83ecd92e2acefd0376c66a3a3c7ad48292730bc0f2358ab334
Opcode Fuzzy Hash: 9850a9585e99c11830cff42b8740ea4ec9693d5dc0939d650308ba4466d41610
Instruction Fuzzy Hash: 6F110DB5C042488FCB10DF9AE848BDEFBF8EB48324F10842AD918A7200D378A544CFA5

Function 05798520 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 057985C0

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4fae72800c022e1acdf697a372db82355c8608adf8dca2b9ee328a5a3d68ec3b
Instruction ID: ff3f04f063aae25b7211dc7ee721878ff6312b97d3d11ee7f0ba0888fba32b81
Opcode Fuzzy Hash: 4fae72800c022e1acdf697a372db82355c8608adf8dca2b9ee328a5a3d68ec3b
Instruction Fuzzy Hash: DA217871900348CFCB14DFAAD448B9ABBF4FF49310F208469E958AB251C739E948CFA5

Function 05796CDC Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 057985C0

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d1a8dadb4853b26331c0d551e414e29d4695be8d75240036aaa4a011a221b73c
Instruction ID: f86c34afa46b76a3871ea1a99e67204aea3b2027718b47868d5f5db12863901e
Opcode Fuzzy Hash: d1a8dadb4853b26331c0d551e414e29d4695be8d75240036aaa4a011a221b73c
Instruction Fuzzy Hash: 101125B18007498FCB20DF9AD444BEEBBF4FB48320F108429D959A7340D738A944CFA5

Function 05796B6C Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 057985C0

Memory Dump Source

Source File: 00000014.00000002.2287300360.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_5790000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e6c46eadabbe62adb7f85a195591f3ec512b98cf42a789d44fa515723af38cea
Instruction ID: 08f61c4f3c4ea838f62d3346a093f0131cb4f25c41368e4ac1803e163a386cc6
Opcode Fuzzy Hash: e6c46eadabbe62adb7f85a195591f3ec512b98cf42a789d44fa515723af38cea
Instruction Fuzzy Hash: AE1136B18007498FCB20DF9AD445BEEBBF4FB48320F108429D959A7340D738A944CFA5

Function 0138D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2281106364.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_138d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e847543d907ba3add35f633e3a0d789d8f20b94f1cc58fbb9910dc7c9196f251
Instruction ID: 2765af81d4ffc1c0e9e116aed7c2960de51784e1a6b090a6287035060e57c777
Opcode Fuzzy Hash: e847543d907ba3add35f633e3a0d789d8f20b94f1cc58fbb9910dc7c9196f251
Instruction Fuzzy Hash: 3021F471544304DFDB05EF98D9C0B26BF65FB88318F20C56AD9090B296C33AD415C6B2

Function 0139D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2281188325.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_139d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46fcc6bd8618ea4c17d99761e870fa3881d37e174ee45518b78864202cfeb9e
Instruction ID: a81fb7bf65210b4211987df15047d72ed11f5d7853b5b3ed7caf2ed102ecaf5c
Opcode Fuzzy Hash: d46fcc6bd8618ea4c17d99761e870fa3881d37e174ee45518b78864202cfeb9e
Instruction Fuzzy Hash: D7212271604204DFDF15DFA8D985B26BF69FB88358F20C56DD90A0B356C33AD807CA61

Function 0138D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2281106364.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_138d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 22739303c626b3ec6732a3628411d2006f930496705ae70dce0297f421f47f48
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: E2119D76504240CFDB16DF58D5C4B16BF72FB84328F24C5AAD9090A256C336D55ACBA2

Function 0139D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2281188325.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_139d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: c678ebef28e8d3bdbebb5f9d4359464ab95109f847344505840eb45d3b9de74d
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5111DD75504280CFDB12CF58D5C4B15FFA2FB88318F24C6AAD8494B756C33AD40ACBA2

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S1qgnlqr1V.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DNS Host\dnshost.exe

C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_S1qgnlqr1V.exe_154b5bc2c27c2c66339f0b82a5790485a67d77_77b60c57_56b8f93c-6740-4b23-892a-7c4176431c0b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6553.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6583.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC346.tmp.dmp

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S1qgnlqr1V.exe.log

Windows Analysis Report
S1qgnlqr1V.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre