Edit tour

Windows Analysis Report
new policy.scr.exe

Overview

General Information

Sample name:	new policy.scr.exe
Analysis ID:	1502158
MD5:	01e7e40055d24780359493decf90ac21
SHA1:	b59b66a3af3a9920b7de22975997a1ec1e4d5528
SHA256:	3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

new policy.scr.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\new policy.scr.exe" MD5: 01E7E40055D24780359493DECF90AC21)

airlineagancy.casacam.net 7076.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe" MD5: 85992141E0054144793B0767444AA3E0)

new policy.scr.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\new policy.scr.exe" MD5: 01E7E40055D24780359493DECF90AC21)

WerFault.exe (PID: 7516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Networks!.exe (PID: 8108 cmdline: "C:\Users\user\AppData\Roaming\Networks!.exe" MD5: 01E7E40055D24780359493DECF90AC21)

Networks!.exe (PID: 5868 cmdline: "C:\Users\user\AppData\Roaming\Networks!.exe" MD5: 01E7E40055D24780359493DECF90AC21)

Networks!.exe (PID: 7180 cmdline: "C:\Users\user\AppData\Roaming\Networks!.exe" MD5: 01E7E40055D24780359493DECF90AC21)

Networks!.exe (PID: 3720 cmdline: "C:\Users\user\AppData\Roaming\Networks!.exe" MD5: 01E7E40055D24780359493DECF90AC21)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["airlineagancy.casacam.net"], "Port": "7076", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7065c9a5-e7ef-4b4a-9ad2-3b36dc82", "Group": "JksonN", "Domain1": "jacksonnnn233.theworkpc.com", "Domain2": "", "Port": 65535, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000007.00000002.2303284343.000000000297D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3e116:$a1: NanoCore.ClientPluginHost 0x3e493:$a2: NanoCore.ClientPlugin 0x3e143:$b1: get_BuilderSettings 0x3d278:$b3: PluginCommand 0x3ebe3:$b4: IClientAppHost 0x46160:$b5: GetBlockHash 0x3eab4:$b6: AddHostEntry 0x42318:$b7: LogClientException 0x3ea13:$b8: PipeExists 0x3ebd0:$b9: IClientLoggingHost
00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c709:$a: NanoCore 0x3c8c9:$a: NanoCore 0x3e0f0:$a: NanoCore 0x3e116:$a: NanoCore 0x3e493:$a: NanoCore 0x3e0f9:$b: ClientPlugin 0x3e11f:$b: ClientPlugin 0x3e49c:$b: ClientPlugin 0x3d995:$c: ProjectData 0x430e2:$d: DESCrypto 0x4411c:$e: KeepAlive 0x42363:$g: LogClientMessage 0x3e9b6:$i: get_Connected 0x3c998:$j: #=q 0x3c9db:$j: #=q 0x3c9f7:$j: #=q 0x3ca39:$j: #=q 0x3ca55:$j: #=q 0x3ca71:$j: #=q 0x3cac9:$j: #=q 0x3cb17:$j: #=q
00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3c709:$v1: NanoCore Client 0x3c8c9:$v1: NanoCore Client 0x3d278:$v2: PluginCommand 0x3d260:$v3: CommandType
00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x7c81:$a1: NanoCore.ClientPluginHost 0x5c417:$a1: NanoCore.ClientPluginHost 0x66842:$a1: NanoCore.ClientPluginHost 0x7181f:$a1: NanoCore.ClientPluginHost 0x7d5c1:$a1: NanoCore.ClientPluginHost 0xa24c5:$a1: NanoCore.ClientPluginHost 0xb1905:$a1: NanoCore.ClientPluginHost 0x7c58:$a2: NanoCore.ClientPlugin 0x5c501:$a2: NanoCore.ClientPlugin 0x668e2:$a2: NanoCore.ClientPlugin 0x717f6:$a2: NanoCore.ClientPlugin 0x7d598:$a2: NanoCore.ClientPlugin 0xa249c:$a2: NanoCore.ClientPlugin 0xb18e0:$a2: NanoCore.ClientPlugin 0xb18f6:$b4: IClientAppHost 0x9fca:$b7: LogClientException 0x5dd5a:$b7: LogClientException 0x67638:$b7: LogClientException 0x7f90a:$b7: LogClientException 0xa74f0:$b7: LogClientException 0xb5de5:$b7: LogClientException
00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7c58:$a: NanoCore 0x7c81:$a: NanoCore 0x5c417:$a: NanoCore 0x5c501:$a: NanoCore 0x5d378:$a: NanoCore 0x66522:$a: NanoCore 0x66583:$a: NanoCore 0x665c6:$a: NanoCore 0x66606:$a: NanoCore 0x66842:$a: NanoCore 0x668e2:$a: NanoCore 0x670ba:$a: NanoCore 0x676ad:$a: NanoCore 0x677fe:$a: NanoCore 0x68658:$a: NanoCore 0x688bf:$a: NanoCore 0x688d4:$a: NanoCore 0x688f3:$a: NanoCore 0x717f6:$a: NanoCore 0x7181f:$a: NanoCore 0x7d598:$a: NanoCore
00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x78b8e:$a1: NanoCore.ClientPluginHost 0x78f0b:$a2: NanoCore.ClientPlugin 0x78bbb:$b1: get_BuilderSettings 0x77cf0:$b3: PluginCommand 0x7965b:$b4: IClientAppHost 0x80bd8:$b5: GetBlockHash 0x7952c:$b6: AddHostEntry 0x7cd90:$b7: LogClientException 0x7948b:$b8: PipeExists 0x79648:$b9: IClientLoggingHost
00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x77181:$a: NanoCore 0x77341:$a: NanoCore 0x78b68:$a: NanoCore 0x78b8e:$a: NanoCore 0x78f0b:$a: NanoCore 0x78b71:$b: ClientPlugin 0x78b97:$b: ClientPlugin 0x78f14:$b: ClientPlugin 0x7840d:$c: ProjectData 0x7db5a:$d: DESCrypto 0x7eb94:$e: KeepAlive 0x7cddb:$g: LogClientMessage 0x7942e:$i: get_Connected 0x77410:$j: #=q 0x77453:$j: #=q 0x7746f:$j: #=q 0x774b1:$j: #=q 0x774cd:$j: #=q 0x774e9:$j: #=q 0x77541:$j: #=q 0x7758f:$j: #=q
00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x77181:$v1: NanoCore Client 0x77341:$v1: NanoCore Client 0x77cf0:$v2: PluginCommand 0x77cd8:$v3: CommandType
00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41c1:$a1: NanoCore.ClientPluginHost 0x3b25:$a2: NanoCore.ClientPlugin 0x3fc9:$b1: get_BuilderSettings 0x41db:$b4: IClientAppHost
00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41c1:$x1: NanoCore.ClientPluginHost 0x41ae:$x2: IClientNetworkHost
00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3b25:$x2: NanoCore.ClientPlugin 0x41c1:$x3: NanoCore.ClientPluginHost 0x39a9:$i3: IClientNetwork 0x41db:$i4: IClientAppHost 0x419e:$i5: IClientDataHost 0x41ae:$i7: IClientNetworkHost 0x3c08:$i9: IClientNameObjectCollection 0x3c24:$i10: IClientReadOnlyNameObjectCollection 0x3b2e:$s1: ClientPlugin 0x4067:$s3: IPAddress
00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x78d5e:$a1: NanoCore.ClientPluginHost 0x790db:$a2: NanoCore.ClientPlugin 0x78d8b:$b1: get_BuilderSettings 0x77ec0:$b3: PluginCommand 0x7982b:$b4: IClientAppHost 0x80da8:$b5: GetBlockHash 0x796fc:$b6: AddHostEntry 0x7cf60:$b7: LogClientException 0x7965b:$b8: PipeExists 0x79818:$b9: IClientLoggingHost
00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x77351:$a: NanoCore 0x77511:$a: NanoCore 0x78d38:$a: NanoCore 0x78d5e:$a: NanoCore 0x790db:$a: NanoCore 0x78d41:$b: ClientPlugin 0x78d67:$b: ClientPlugin 0x790e4:$b: ClientPlugin 0x785dd:$c: ProjectData 0x7dd2a:$d: DESCrypto 0x7ed64:$e: KeepAlive 0x7cfab:$g: LogClientMessage 0x795fe:$i: get_Connected 0x775e0:$j: #=q 0x77623:$j: #=q 0x7763f:$j: #=q 0x77681:$j: #=q 0x7769d:$j: #=q 0x776b9:$j: #=q 0x77711:$j: #=q 0x7775f:$j: #=q
00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x77351:$v1: NanoCore Client 0x77511:$v1: NanoCore Client 0x77ec0:$v2: PluginCommand 0x77ea8:$v3: CommandType
00000000.00000002.1884977634.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x691a:$cnc4: POST / HTTP/1.1
00000007.00000002.2324492421.0000000004679000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3db16:$a1: NanoCore.ClientPluginHost 0x3de93:$a2: NanoCore.ClientPlugin 0x3db43:$b1: get_BuilderSettings 0x3cc78:$b3: PluginCommand 0x3e5e3:$b4: IClientAppHost 0x45b60:$b5: GetBlockHash 0x3e4b4:$b6: AddHostEntry 0x41d18:$b7: LogClientException 0x3e413:$b8: PipeExists 0x3e5d0:$b9: IClientLoggingHost
00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c109:$a: NanoCore 0x3c2c9:$a: NanoCore 0x3daf0:$a: NanoCore 0x3db16:$a: NanoCore 0x3de93:$a: NanoCore 0x3daf9:$b: ClientPlugin 0x3db1f:$b: ClientPlugin 0x3de9c:$b: ClientPlugin 0x3d395:$c: ProjectData 0x42ae2:$d: DESCrypto 0x43b1c:$e: KeepAlive 0x41d63:$g: LogClientMessage 0x3e3b6:$i: get_Connected 0x3c398:$j: #=q 0x3c3db:$j: #=q 0x3c3f7:$j: #=q 0x3c439:$j: #=q 0x3c455:$j: #=q 0x3c471:$j: #=q 0x3c4c9:$j: #=q 0x3c517:$j: #=q
00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3c109:$v1: NanoCore Client 0x3c2c9:$v1: NanoCore Client 0x3cc78:$v2: PluginCommand 0x3cc60:$v3: CommandType
00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xa432:$a1: NanoCore.ClientPluginHost 0x31a3b:$a1: NanoCore.ClientPluginHost 0xa40d:$a2: NanoCore.ClientPlugin 0x31a12:$a2: NanoCore.ClientPlugin 0xa423:$b4: IClientAppHost 0xe912:$b7: LogClientException 0x36a66:$b7: LogClientException 0xa45c:$b9: IClientLoggingHost 0x31a28:$b9: IClientLoggingHost
00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x556a5:$a1: NanoCore.ClientPluginHost 0x8d029:$a1: NanoCore.ClientPluginHost 0x97491:$a1: NanoCore.ClientPluginHost 0xa45ff:$a1: NanoCore.ClientPluginHost 0xae453:$a1: NanoCore.ClientPluginHost 0xb637d:$a1: NanoCore.ClientPluginHost 0xbc354:$a1: NanoCore.ClientPluginHost 0xc5dc3:$a1: NanoCore.ClientPluginHost 0xd01f3:$a1: NanoCore.ClientPluginHost 0xdb1d9:$a1: NanoCore.ClientPluginHost 0xe6f83:$a1: NanoCore.ClientPluginHost 0xf2cce:$a1: NanoCore.ClientPluginHost 0x55668:$a2: NanoCore.ClientPlugin 0x8c98d:$a2: NanoCore.ClientPlugin 0x9746b:$a2: NanoCore.ClientPlugin 0xa467b:$a2: NanoCore.ClientPlugin 0xae4cf:$a2: NanoCore.ClientPlugin 0xb63f7:$a2: NanoCore.ClientPlugin 0xbc39e:$a2: NanoCore.ClientPlugin 0xc5ead:$a2: NanoCore.ClientPlugin 0xd0293:$a2: NanoCore.ClientPlugin
00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5560f:$a: NanoCore 0x55668:$a: NanoCore 0x556a5:$a: NanoCore 0x5571e:$a: NanoCore 0x8c4a0:$a: NanoCore 0x8c98d:$a: NanoCore 0x8d029:$a: NanoCore 0x9746b:$a: NanoCore 0x97491:$a: NanoCore 0x974ed:$a: NanoCore 0xa4347:$a: NanoCore 0xa43a0:$a: NanoCore 0xa43d3:$a: NanoCore 0xa45ff:$a: NanoCore 0xa467b:$a: NanoCore 0xa4c94:$a: NanoCore 0xa4ddd:$a: NanoCore 0xa52b1:$a: NanoCore 0xa5598:$a: NanoCore 0xa55af:$a: NanoCore 0xae453:$a: NanoCore
00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x25a50:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2fc28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x25aed:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2fcc5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x25c02:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2fdda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x258c2:$cnc4: POST / HTTP/1.1 0x2fa9a:$cnc4: POST / HTTP/1.1
00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfd3:$a1: NanoCore.ClientPluginHost 0xf96:$a2: NanoCore.ClientPlugin
00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6a35d:$a1: NanoCore.ClientPluginHost 0x6a320:$a2: NanoCore.ClientPlugin 0x5bc07:$b1: get_BuilderSettings 0x6a6f4:$b1: get_BuilderSettings 0x7913f:$b2: ClientLoaderForm.resources 0x6a3ab:$b4: IClientAppHost 0x6a765:$b6: AddHostEntry 0x5bb76:$b7: LogClientException 0x6a7d4:$b7: LogClientException 0x6a749:$b8: PipeExists 0x6a398:$b9: IClientLoggingHost
00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6a2c7:$a: NanoCore 0x6a320:$a: NanoCore 0x6a35d:$a: NanoCore 0x6a3d6:$a: NanoCore 0x7917c:$a: NanoCore 0x6a329:$b: ClientPlugin 0x6a366:$b: ClientPlugin 0x6ac64:$b: ClientPlugin 0x6ac71:$b: ClientPlugin 0x5feec:$e: KeepAlive 0x6a7b1:$g: LogClientMessage 0x6a731:$i: get_Connected 0x5a6cd:$j: #=q 0x5a6fd:$j: #=q 0x5a739:$j: #=q 0x5a761:$j: #=q 0x5a791:$j: #=q 0x5a7c1:$j: #=q 0x5a7f1:$j: #=q 0x5a821:$j: #=q 0x5a83d:$j: #=q
00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000006.00000002.2232333043.0000000004A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d206:$a1: NanoCore.ClientPluginHost 0x3d583:$a2: NanoCore.ClientPlugin 0x3d233:$b1: get_BuilderSettings 0x3c368:$b3: PluginCommand 0x3dcd3:$b4: IClientAppHost 0x45250:$b5: GetBlockHash 0x3dba4:$b6: AddHostEntry 0x41408:$b7: LogClientException 0x3db03:$b8: PipeExists 0x3dcc0:$b9: IClientLoggingHost
00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3b7f9:$a: NanoCore 0x3b9b9:$a: NanoCore 0x3d1e0:$a: NanoCore 0x3d206:$a: NanoCore 0x3d583:$a: NanoCore 0x3d1e9:$b: ClientPlugin 0x3d20f:$b: ClientPlugin 0x3d58c:$b: ClientPlugin 0x3ca85:$c: ProjectData 0x421d2:$d: DESCrypto 0x4320c:$e: KeepAlive 0x41453:$g: LogClientMessage 0x3daa6:$i: get_Connected 0x3ba88:$j: #=q 0x3bacb:$j: #=q 0x3bae7:$j: #=q 0x3bb29:$j: #=q 0x3bb45:$j: #=q 0x3bb61:$j: #=q 0x3bbb9:$j: #=q 0x3bc07:$j: #=q
00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3b7f9:$v1: NanoCore Client 0x3b9b9:$v1: NanoCore Client 0x3c368:$v2: PluginCommand 0x3c350:$v3: CommandType
00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x42fd3:$a1: NanoCore.ClientPluginHost 0x56741:$a1: NanoCore.ClientPluginHost 0x6f205:$a1: NanoCore.ClientPluginHost 0x42f96:$a2: NanoCore.ClientPlugin 0x5670c:$a2: NanoCore.ClientPlugin 0x6f1d0:$a2: NanoCore.ClientPlugin 0x4336a:$b1: get_BuilderSettings 0x5b687:$b1: get_BuilderSettings 0x7414b:$b1: get_BuilderSettings 0x43021:$b4: IClientAppHost 0x433db:$b6: AddHostEntry 0x4344a:$b7: LogClientException 0x5b5f6:$b7: LogClientException 0x740ba:$b7: LogClientException 0x433bf:$b8: PipeExists 0x4300e:$b9: IClientLoggingHost 0x5675b:$b9: IClientLoggingHost 0x6f21f:$b9: IClientLoggingHost
00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f3d:$a: NanoCore 0x42f96:$a: NanoCore 0x42fd3:$a: NanoCore 0x4304c:$a: NanoCore 0x566f7:$a: NanoCore 0x5670c:$a: NanoCore 0x56741:$a: NanoCore 0x6f1bb:$a: NanoCore 0x6f1d0:$a: NanoCore 0x6f205:$a: NanoCore 0x42f9f:$b: ClientPlugin 0x42fdc:$b: ClientPlugin 0x438da:$b: ClientPlugin 0x438e7:$b: ClientPlugin 0x564b3:$b: ClientPlugin 0x564ce:$b: ClientPlugin 0x564fe:$b: ClientPlugin 0x56715:$b: ClientPlugin 0x5674a:$b: ClientPlugin 0x6ef77:$b: ClientPlugin 0x6ef92:$b: ClientPlugin
00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d666:$a1: NanoCore.ClientPluginHost 0x3d9e3:$a2: NanoCore.ClientPlugin 0x3d693:$b1: get_BuilderSettings 0x3c7c8:$b3: PluginCommand 0x3e133:$b4: IClientAppHost 0x456b0:$b5: GetBlockHash 0x3e004:$b6: AddHostEntry 0x41868:$b7: LogClientException 0x3df63:$b8: PipeExists 0x3e120:$b9: IClientLoggingHost
00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bc59:$a: NanoCore 0x3be19:$a: NanoCore 0x3d640:$a: NanoCore 0x3d666:$a: NanoCore 0x3d9e3:$a: NanoCore 0x3d649:$b: ClientPlugin 0x3d66f:$b: ClientPlugin 0x3d9ec:$b: ClientPlugin 0x3cee5:$c: ProjectData 0x42632:$d: DESCrypto 0x4366c:$e: KeepAlive 0x418b3:$g: LogClientMessage 0x3df06:$i: get_Connected 0x3bee8:$j: #=q 0x3bf2b:$j: #=q 0x3bf47:$j: #=q 0x3bf89:$j: #=q 0x3bfa5:$j: #=q 0x3bfc1:$j: #=q 0x3c019:$j: #=q 0x3c067:$j: #=q
00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3bc59:$v1: NanoCore Client 0x3be19:$v1: NanoCore Client 0x3c7c8:$v2: PluginCommand 0x3c7b0:$v3: CommandType
Process Memory Space: new policy.scr.exe PID: 7496	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: new policy.scr.exe PID: 7496	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: new policy.scr.exe PID: 7496	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: new policy.scr.exe PID: 7496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: new policy.scr.exe PID: 7496	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2f6c11:$a1: NanoCore.ClientPluginHost 0x325013:$a1: NanoCore.ClientPluginHost 0x2f6f8e:$a2: NanoCore.ClientPlugin 0x325390:$a2: NanoCore.ClientPlugin 0x2f6c3e:$b1: get_BuilderSettings 0x325040:$b1: get_BuilderSettings 0x2f5d8d:$b3: PluginCommand 0x32418f:$b3: PluginCommand 0x2f76de:$b4: IClientAppHost 0x325ae0:$b4: IClientAppHost 0x2febfd:$b5: GetBlockHash 0x32cfff:$b5: GetBlockHash 0x2f75af:$b6: AddHostEntry 0x3259b1:$b6: AddHostEntry 0x2faddd:$b7: LogClientException 0x30680b:$b7: LogClientException 0x3291df:$b7: LogClientException 0x334c0d:$b7: LogClientException 0x2f750e:$b8: PipeExists 0x325910:$b8: PipeExists 0x2f76cb:$b9: IClientLoggingHost
Process Memory Space: new policy.scr.exe PID: 7496	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f522d:$a: NanoCore 0x2f53e8:$a: NanoCore 0x2f6beb:$a: NanoCore 0x2f6c11:$a: NanoCore 0x2f6f8e:$a: NanoCore 0x301127:$a: NanoCore 0x3012d0:$a: NanoCore 0x3029bd:$a: NanoCore 0x3029e0:$a: NanoCore 0x302d37:$a: NanoCore 0x32362f:$a: NanoCore 0x3237ea:$a: NanoCore 0x324fed:$a: NanoCore 0x325013:$a: NanoCore 0x325390:$a: NanoCore 0x32f529:$a: NanoCore 0x32f6d2:$a: NanoCore 0x330dbf:$a: NanoCore 0x330de2:$a: NanoCore 0x331139:$a: NanoCore 0x2f6bf4:$b: ClientPlugin
Process Memory Space: new policy.scr.exe PID: 7496	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x2f522d:$v1: NanoCore Client 0x2f53e8:$v1: NanoCore Client 0x2f6beb:$v1: NanoCore Client 0x301127:$v1: NanoCore Client 0x3012d0:$v1: NanoCore Client 0x32362f:$v1: NanoCore Client 0x3237ea:$v1: NanoCore Client 0x324fed:$v1: NanoCore Client 0x32f529:$v1: NanoCore Client 0x32f6d2:$v1: NanoCore Client 0x2f5d8d:$v2: PluginCommand 0x301c1a:$v2: PluginCommand 0x32418f:$v2: PluginCommand 0x33001c:$v2: PluginCommand 0x2f5d75:$v3: CommandType 0x301c04:$v3: CommandType 0x324177:$v3: CommandType 0x330006:$v3: CommandType
Process Memory Space: airlineagancy.casacam.net 7076.exe PID: 7764	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: new policy.scr.exe PID: 7784	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: new policy.scr.exe PID: 7784	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1e06:$a1: NanoCore.ClientPluginHost 0x4b22:$a1: NanoCore.ClientPluginHost 0x54f44:$a1: NanoCore.ClientPluginHost 0x9d4cb:$a1: NanoCore.ClientPluginHost 0xa8078:$a1: NanoCore.ClientPluginHost 0xb32fa:$a1: NanoCore.ClientPluginHost 0xb5156:$a1: NanoCore.ClientPluginHost 0xb848a:$a1: NanoCore.ClientPluginHost 0xc173d:$a1: NanoCore.ClientPluginHost 0xd1f0b:$a1: NanoCore.ClientPluginHost 0xf56d6:$a1: NanoCore.ClientPluginHost 0xf9760:$a1: NanoCore.ClientPluginHost 0xff23f:$a1: NanoCore.ClientPluginHost 0x10c184:$a1: NanoCore.ClientPluginHost 0x11b602:$a1: NanoCore.ClientPluginHost 0x129914:$a1: NanoCore.ClientPluginHost 0x133329:$a1: NanoCore.ClientPluginHost 0x1e82:$a2: NanoCore.ClientPlugin 0x4af9:$a2: NanoCore.ClientPlugin 0x54f07:$a2: NanoCore.ClientPlugin 0x9d5b5:$a2: NanoCore.ClientPlugin
Process Memory Space: new policy.scr.exe PID: 7784	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b5c:$a: NanoCore 0x1bb5:$a: NanoCore 0x1be8:$a: NanoCore 0x1e06:$a: NanoCore 0x1e82:$a: NanoCore 0x2487:$a: NanoCore 0x25d0:$a: NanoCore 0x2613:$a: NanoCore 0x2666:$a: NanoCore 0x2695:$a: NanoCore 0x289b:$a: NanoCore 0x290f:$a: NanoCore 0x2ec6:$a: NanoCore 0x3002:$a: NanoCore 0x3041:$a: NanoCore 0x3252:$a: NanoCore 0x3269:$a: NanoCore 0x32cc:$a: NanoCore 0x32fa:$a: NanoCore 0x333d:$a: NanoCore 0x335a:$a: NanoCore
Process Memory Space: new policy.scr.exe PID: 7784	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3d1d7:$v1: NanoCore Client 0x3d234:$v1: NanoCore Client 0x3d2b5:$v1: NanoCore Client 0x5b826:$v1: NanoCore Client 0x1263f7:$v1: NanoCore Client 0x12c13d:$v1: NanoCore Client 0x12c14d:$v1: NanoCore Client 0x132447:$v1: NanoCore Client 0x13245b:$v1: NanoCore Client 0x2678:$v2: PluginCommand 0x6f6e7:$v2: PluginCommand 0x732d0:$v2: PluginCommand 0x12a527:$v2: PluginCommand 0x5581:$v3: CommandType 0x7836:$v3: CommandType 0xd4c7:$v3: CommandType 0x16bd8:$v3: CommandType 0x1b531:$v3: CommandType 0x2fa24:$v3: CommandType 0x38ce9:$v3: CommandType 0x5e7a7:$v3: CommandType
Process Memory Space: Networks!.exe PID: 8108	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Networks!.exe PID: 8108	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Networks!.exe PID: 8108	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Networks!.exe PID: 8108	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x12948:$a1: NanoCore.ClientPluginHost 0x42d4df:$a1: NanoCore.ClientPluginHost 0x12cc5:$a2: NanoCore.ClientPlugin 0x42d85c:$a2: NanoCore.ClientPlugin 0x12975:$b1: get_BuilderSettings 0x42d50c:$b1: get_BuilderSettings 0x11ac4:$b3: PluginCommand 0x42c65b:$b3: PluginCommand 0x13415:$b4: IClientAppHost 0x42dfac:$b4: IClientAppHost 0x1a934:$b5: GetBlockHash 0x4354cb:$b5: GetBlockHash 0x132e6:$b6: AddHostEntry 0x42de7d:$b6: AddHostEntry 0x16b14:$b7: LogClientException 0x22542:$b7: LogClientException 0x4316ab:$b7: LogClientException 0x43d0d9:$b7: LogClientException 0x13245:$b8: PipeExists 0x42dddc:$b8: PipeExists 0x13402:$b9: IClientLoggingHost
Process Memory Space: Networks!.exe PID: 8108	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f64:$a: NanoCore 0x1111f:$a: NanoCore 0x12922:$a: NanoCore 0x12948:$a: NanoCore 0x12cc5:$a: NanoCore 0x1ce5e:$a: NanoCore 0x1d007:$a: NanoCore 0x1e6f4:$a: NanoCore 0x1e717:$a: NanoCore 0x1ea6e:$a: NanoCore 0x42bafb:$a: NanoCore 0x42bcb6:$a: NanoCore 0x42d4b9:$a: NanoCore 0x42d4df:$a: NanoCore 0x42d85c:$a: NanoCore 0x4379f5:$a: NanoCore 0x437b9e:$a: NanoCore 0x43928b:$a: NanoCore 0x4392ae:$a: NanoCore 0x439605:$a: NanoCore 0x1292b:$b: ClientPlugin
Process Memory Space: Networks!.exe PID: 8108	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x10f64:$v1: NanoCore Client 0x1111f:$v1: NanoCore Client 0x12922:$v1: NanoCore Client 0x1ce5e:$v1: NanoCore Client 0x1d007:$v1: NanoCore Client 0x42bafb:$v1: NanoCore Client 0x42bcb6:$v1: NanoCore Client 0x42d4b9:$v1: NanoCore Client 0x4379f5:$v1: NanoCore Client 0x437b9e:$v1: NanoCore Client 0x11ac4:$v2: PluginCommand 0x1d951:$v2: PluginCommand 0x42c65b:$v2: PluginCommand 0x4384e8:$v2: PluginCommand 0x11aac:$v3: CommandType 0x1d93b:$v3: CommandType 0x42c643:$v3: CommandType 0x4384d2:$v3: CommandType
Process Memory Space: Networks!.exe PID: 7180	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Networks!.exe PID: 7180	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Networks!.exe PID: 7180	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Networks!.exe PID: 7180	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x42121:$a1: NanoCore.ClientPluginHost 0x4249e:$a2: NanoCore.ClientPlugin 0x4214e:$b1: get_BuilderSettings 0x4129d:$b3: PluginCommand 0x42bee:$b4: IClientAppHost 0x4a10d:$b5: GetBlockHash 0x42abf:$b6: AddHostEntry 0x462ed:$b7: LogClientException 0x51d1b:$b7: LogClientException 0x42a1e:$b8: PipeExists 0x42bdb:$b9: IClientLoggingHost
Process Memory Space: Networks!.exe PID: 7180	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4073d:$a: NanoCore 0x408f8:$a: NanoCore 0x420fb:$a: NanoCore 0x42121:$a: NanoCore 0x4249e:$a: NanoCore 0x4c637:$a: NanoCore 0x4c7e0:$a: NanoCore 0x4decd:$a: NanoCore 0x4def0:$a: NanoCore 0x4e247:$a: NanoCore 0x42104:$b: ClientPlugin 0x4212a:$b: ClientPlugin 0x424a7:$b: ClientPlugin 0x4ded5:$b: ClientPlugin 0x4def9:$b: ClientPlugin 0x4e250:$b: ClientPlugin 0x419a5:$c: ProjectData 0x4d7e2:$c: ProjectData 0x470a8:$d: DESCrypto 0x52a1f:$d: DESCrypto 0xf2bc:$e: KeepAlive
Process Memory Space: Networks!.exe PID: 7180	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x4073d:$v1: NanoCore Client 0x408f8:$v1: NanoCore Client 0x420fb:$v1: NanoCore Client 0x4c637:$v1: NanoCore Client 0x4c7e0:$v1: NanoCore Client 0x4129d:$v2: PluginCommand 0x4d12a:$v2: PluginCommand 0x41285:$v3: CommandType 0x4d114:$v3: CommandType
Process Memory Space: Networks!.exe PID: 5868	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Networks!.exe PID: 5868	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x27335:$a1: NanoCore.ClientPluginHost 0x3671a:$a1: NanoCore.ClientPluginHost 0x4e5db:$a1: NanoCore.ClientPluginHost 0x272f8:$a2: NanoCore.ClientPlugin 0x36a97:$a2: NanoCore.ClientPlugin 0x4e59e:$a2: NanoCore.ClientPlugin 0x2052a:$b1: get_BuilderSettings 0x36747:$b1: get_BuilderSettings 0x4e955:$b1: get_BuilderSettings 0x11bf:$b2: ClientLoaderForm.resources 0x1206:$b2: ClientLoaderForm.resources 0x28d8f:$b2: ClientLoaderForm.resources 0x28dd6:$b2: ClientLoaderForm.resources 0x29cc8:$b2: ClientLoaderForm.resources 0x29d0f:$b2: ClientLoaderForm.resources 0x2cf3b:$b2: ClientLoaderForm.resources 0x2cf82:$b2: ClientLoaderForm.resources 0x35896:$b3: PluginCommand 0x27383:$b4: IClientAppHost 0x371e7:$b4: IClientAppHost 0x4e629:$b4: IClientAppHost
Process Memory Space: Networks!.exe PID: 5868	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5d:$a: NanoCore 0x6d:$a: NanoCore 0x1221:$a: NanoCore 0x1271:$a: NanoCore 0xf5e1:$a: NanoCore 0xf5f5:$a: NanoCore 0x1018f:$a: NanoCore 0x101ec:$a: NanoCore 0x1026d:$a: NanoCore 0x2729f:$a: NanoCore 0x272f8:$a: NanoCore 0x27335:$a: NanoCore 0x273ae:$a: NanoCore 0x27b3c:$a: NanoCore 0x27b8f:$a: NanoCore 0x27bc8:$a: NanoCore 0x27c3b:$a: NanoCore 0x289b4:$a: NanoCore 0x28df1:$a: NanoCore 0x28e41:$a: NanoCore 0x29d2a:$a: NanoCore
Process Memory Space: Networks!.exe PID: 5868	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x5d:$v1: NanoCore Client 0x6d:$v1: NanoCore Client 0x1221:$v1: NanoCore Client 0x1271:$v1: NanoCore Client 0xf5e1:$v1: NanoCore Client 0xf5f5:$v1: NanoCore Client 0x1018f:$v1: NanoCore Client 0x101ec:$v1: NanoCore Client 0x1026d:$v1: NanoCore Client 0x289b4:$v1: NanoCore Client 0x28df1:$v1: NanoCore Client 0x28e41:$v1: NanoCore Client 0x29d2a:$v1: NanoCore Client 0x29d7a:$v1: NanoCore Client 0x2cf9d:$v1: NanoCore Client 0x2cfed:$v1: NanoCore Client 0x2dbf1:$v1: NanoCore Client 0x2dd8b:$v1: NanoCore Client 0x2dda1:$v1: NanoCore Client 0x2f1a1:$v1: NanoCore Client 0x34d36:$v1: NanoCore Client
Process Memory Space: Networks!.exe PID: 3720	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1c69a:$a1: NanoCore.ClientPluginHost 0x1c65d:$a2: NanoCore.ClientPlugin 0x1f4c:$b2: ClientLoaderForm.resources 0x1f93:$b2: ClientLoaderForm.resources 0x19548:$b2: ClientLoaderForm.resources 0x1958f:$b2: ClientLoaderForm.resources 0x29efd:$b2: ClientLoaderForm.resources
Click to see the 115 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Networks!.exe.4a592f0.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.new policy.scr.exe.59e4629.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.new policy.scr.exe.59e4629.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
3.2.new policy.scr.exe.59e4629.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.new policy.scr.exe.59e4629.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.new policy.scr.exe.7790000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7790000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7790000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
9.2.Networks!.exe.3e7b15e.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin
9.2.Networks!.exe.3e7b15e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
9.2.Networks!.exe.3e7b15e.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xe65:$i5: IClientDataHost 0xe8f:$i7: IClientNetworkHost 0xe41:$s1: ClientPlugin
3.2.new policy.scr.exe.7920000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7920000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7920000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
3.2.new policy.scr.exe.7920000.22.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7920000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7920000.22.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.new policy.scr.exe.7930000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7930000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7930000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.new policy.scr.exe.77b0000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
3.2.new policy.scr.exe.77b0000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
3.2.new policy.scr.exe.77b0000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
3.2.new policy.scr.exe.59e0000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.new policy.scr.exe.59e0000.12.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.new policy.scr.exe.59e0000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.new policy.scr.exe.59e0000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.new policy.scr.exe.440a4ff.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.new policy.scr.exe.440a4ff.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.new policy.scr.exe.440a4ff.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.new policy.scr.exe.7720000.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41c1:$a1: NanoCore.ClientPluginHost 0x3b25:$a2: NanoCore.ClientPlugin 0x3fc9:$b1: get_BuilderSettings 0x41db:$b4: IClientAppHost
3.2.new policy.scr.exe.7720000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41c1:$x1: NanoCore.ClientPluginHost 0x41ae:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7720000.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3b25:$x2: NanoCore.ClientPlugin 0x41c1:$x3: NanoCore.ClientPluginHost 0x39a9:$i3: IClientNetwork 0x41db:$i4: IClientAppHost 0x419e:$i5: IClientDataHost 0x41ae:$i7: IClientNetworkHost 0x3c08:$i9: IClientNameObjectCollection 0x3c24:$i10: IClientReadOnlyNameObjectCollection 0x3b2e:$s1: ClientPlugin 0x4067:$s3: IPAddress
8.2.Networks!.exe.37445bd.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.Networks!.exe.37445bd.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c48:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c13:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b8e:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28afd:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c62:$b9: IClientLoggingHost
8.2.Networks!.exe.37445bd.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c48:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c75:$x2: IClientNetworkHost
8.2.Networks!.exe.37445bd.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c13:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c48:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23c07:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c29:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c38:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c62:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c75:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c88:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c96:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23cb2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
0.2.new policy.scr.exe.3252f80.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.new policy.scr.exe.3252f80.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1
3.2.new policy.scr.exe.7770000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7770000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7770000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
8.2.Networks!.exe.373b15e.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.Networks!.exe.373b15e.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d0a7:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d072:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31fed:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f5c:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0c1:$b9: IClientLoggingHost
8.2.Networks!.exe.373b15e.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d05d:$a: NanoCore 0x2d072:$a: NanoCore 0x2d0a7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce19:$b: ClientPlugin 0x2ce34:$b: ClientPlugin
8.2.Networks!.exe.373b15e.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0a7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0d4:$x2: IClientNetworkHost
8.2.Networks!.exe.373b15e.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d072:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d0a7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d066:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d088:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d097:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0c1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
3.2.new policy.scr.exe.77a0000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
3.2.new policy.scr.exe.77a0000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
3.2.new policy.scr.exe.77a0000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
0.2.new policy.scr.exe.42c7788.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.new policy.scr.exe.42c7788.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3b606:$a1: NanoCore.ClientPluginHost 0x3b983:$a2: NanoCore.ClientPlugin 0x3b633:$b1: get_BuilderSettings 0x3a768:$b3: PluginCommand 0x3c0d3:$b4: IClientAppHost 0x43650:$b5: GetBlockHash 0x3bfa4:$b6: AddHostEntry 0x3f808:$b7: LogClientException 0x3bf03:$b8: PipeExists 0x3c0c0:$b9: IClientLoggingHost
0.2.new policy.scr.exe.42c7788.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x39bf9:$a: NanoCore 0x39db9:$a: NanoCore 0x3b5e0:$a: NanoCore 0x3b606:$a: NanoCore 0x3b983:$a: NanoCore 0x3b5e9:$b: ClientPlugin 0x3b60f:$b: ClientPlugin 0x3b98c:$b: ClientPlugin 0x3ae85:$c: ProjectData 0x405d2:$d: DESCrypto 0x4160c:$e: KeepAlive 0x3f853:$g: LogClientMessage 0x3bea6:$i: get_Connected 0x39e88:$j: #=q 0x39ecb:$j: #=q 0x39ee7:$j: #=q 0x39f29:$j: #=q 0x39f45:$j: #=q 0x39f61:$j: #=q 0x39fb9:$j: #=q 0x3a007:$j: #=q
0.2.new policy.scr.exe.42c7788.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3b606:$x1: NanoCore.ClientPluginHost 0x3beb4:$x2: IClientNetworkHost
0.2.new policy.scr.exe.42c7788.8.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x39bf9:$v1: NanoCore Client 0x39db9:$v1: NanoCore Client 0x3a768:$v2: PluginCommand 0x3a750:$v3: CommandType
0.2.new policy.scr.exe.42c7788.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x39bf9:$x1: NanoCore Client 0x39db9:$x1: NanoCore Client 0x3b983:$x2: NanoCore.ClientPlugin 0x3b606:$x3: NanoCore.ClientPluginHost 0x3b9e0:$i1: IClientApp 0x3b977:$i2: IClientData 0x3b9b5:$i3: IClientNetwork 0x3c0d3:$i4: IClientAppHost 0x3b5f6:$i5: IClientDataHost 0x3c0c0:$i6: IClientLoggingHost 0x3beb4:$i7: IClientNetworkHost 0x3c0b2:$i8: IClientUIHost 0x3b5c4:$i9: IClientNameObjectCollection 0x3b647:$i10: IClientReadOnlyNameObjectCollection 0x3b5e9:$s1: ClientPlugin 0x3b98c:$s1: ClientPlugin 0x42516:$s2: EndPoint 0x3ab7f:$s3: IPAddress 0x416ed:$s4: IPEndPoint 0x3b620:$s6: get_ClientSettings 0x3bea6:$s7: get_Connected
3.2.new policy.scr.exe.4550e57.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.4550e57.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
3.2.new policy.scr.exe.4550e57.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
3.2.new policy.scr.exe.4550e57.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
8.2.Networks!.exe.700000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.Networks!.exe.700000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d406:$a1: NanoCore.ClientPluginHost 0x3d783:$a2: NanoCore.ClientPlugin 0x3d433:$b1: get_BuilderSettings 0x3c568:$b3: PluginCommand 0x3ded3:$b4: IClientAppHost 0x45450:$b5: GetBlockHash 0x3dda4:$b6: AddHostEntry 0x41608:$b7: LogClientException 0x3dd03:$b8: PipeExists 0x3dec0:$b9: IClientLoggingHost
8.2.Networks!.exe.700000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3b9f9:$a: NanoCore 0x3bbb9:$a: NanoCore 0x3d3e0:$a: NanoCore 0x3d406:$a: NanoCore 0x3d783:$a: NanoCore 0x3d3e9:$b: ClientPlugin 0x3d40f:$b: ClientPlugin 0x3d78c:$b: ClientPlugin 0x3cc85:$c: ProjectData 0x423d2:$d: DESCrypto 0x4340c:$e: KeepAlive 0x41653:$g: LogClientMessage 0x3dca6:$i: get_Connected 0x3bc88:$j: #=q 0x3bccb:$j: #=q 0x3bce7:$j: #=q 0x3bd29:$j: #=q 0x3bd45:$j: #=q 0x3bd61:$j: #=q 0x3bdb9:$j: #=q 0x3be07:$j: #=q
8.2.Networks!.exe.700000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d406:$x1: NanoCore.ClientPluginHost 0x3dcb4:$x2: IClientNetworkHost
8.2.Networks!.exe.700000.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3b9f9:$v1: NanoCore Client 0x3bbb9:$v1: NanoCore Client 0x3c568:$v2: PluginCommand 0x3c550:$v3: CommandType
8.2.Networks!.exe.700000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3b9f9:$x1: NanoCore Client 0x3bbb9:$x1: NanoCore Client 0x3d783:$x2: NanoCore.ClientPlugin 0x3d406:$x3: NanoCore.ClientPluginHost 0x3d7e0:$i1: IClientApp 0x3d777:$i2: IClientData 0x3d7b5:$i3: IClientNetwork 0x3ded3:$i4: IClientAppHost 0x3d3f6:$i5: IClientDataHost 0x3dec0:$i6: IClientLoggingHost 0x3dcb4:$i7: IClientNetworkHost 0x3deb2:$i8: IClientUIHost 0x3d3c4:$i9: IClientNameObjectCollection 0x3d447:$i10: IClientReadOnlyNameObjectCollection 0x3d3e9:$s1: ClientPlugin 0x3d78c:$s1: ClientPlugin 0x44316:$s2: EndPoint 0x3c97f:$s3: IPAddress 0x434ed:$s4: IPEndPoint 0x3d420:$s6: get_ClientSettings 0x3dca6:$s7: get_Connected
3.2.new policy.scr.exe.44f2776.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.44f2776.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.new policy.scr.exe.44f2776.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.new policy.scr.exe.7790000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7790000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7790000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
3.2.new policy.scr.exe.77d0000.21.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.new policy.scr.exe.77d0000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.new policy.scr.exe.77d0000.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
7.2.Networks!.exe.46792f0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.new policy.scr.exe.7730000.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7730000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7730000.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1
3.2.new policy.scr.exe.5980000.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.new policy.scr.exe.3252f80.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.new policy.scr.exe.5980000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.new policy.scr.exe.5980000.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.new policy.scr.exe.3252f80.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
8.2.Networks!.exe.373ff94.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.Networks!.exe.373ff94.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28271:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x2823c:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1b7:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d126:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x2828b:$b9: IClientLoggingHost
8.2.Networks!.exe.373ff94.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28271:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2829e:$x2: IClientNetworkHost
8.2.Networks!.exe.373ff94.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2823c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28271:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28230:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28252:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28261:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2828b:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x2829e:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282b1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282bf:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282db:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
3.2.new policy.scr.exe.43f7444.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x2d5f7:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x2d5ce:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x32622:$b7: LogClientException 0x6018:$b9: IClientLoggingHost 0x2d5e4:$b9: IClientLoggingHost
3.2.new policy.scr.exe.43f7444.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x2d5f7:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost 0x2d611:$x2: IClientNetworkHost
3.2.new policy.scr.exe.43f7444.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x2d5ce:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x2d5f7:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x2d5bf:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x2d5e4:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x2d611:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x2d624:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin 0x2d32e:$s1: ClientPlugin 0x2d5d7:$s1: ClientPlugin
3.2.new policy.scr.exe.44f2776.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x57ca1:$a1: NanoCore.ClientPluginHost 0x620cc:$a1: NanoCore.ClientPluginHost 0x6d0a9:$a1: NanoCore.ClientPluginHost 0x78e4b:$a1: NanoCore.ClientPluginHost 0x9dd4f:$a1: NanoCore.ClientPluginHost 0xad18f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x57d8b:$a2: NanoCore.ClientPlugin 0x6216c:$a2: NanoCore.ClientPlugin 0x6d080:$a2: NanoCore.ClientPlugin 0x78e22:$a2: NanoCore.ClientPlugin 0x9dd26:$a2: NanoCore.ClientPlugin 0xad16a:$a2: NanoCore.ClientPlugin 0xad180:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x595e4:$b7: LogClientException 0x62ec2:$b7: LogClientException 0x7b194:$b7: LogClientException 0xa2d7a:$b7: LogClientException 0xb166f:$b7: LogClientException
3.2.new policy.scr.exe.44f2776.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x34e2:$a: NanoCore 0x350b:$a: NanoCore 0x57ca1:$a: NanoCore 0x57d8b:$a: NanoCore 0x58c02:$a: NanoCore 0x61dac:$a: NanoCore 0x61e0d:$a: NanoCore 0x61e50:$a: NanoCore 0x61e90:$a: NanoCore 0x620cc:$a: NanoCore 0x6216c:$a: NanoCore 0x62944:$a: NanoCore 0x62f37:$a: NanoCore 0x63088:$a: NanoCore 0x63ee2:$a: NanoCore 0x64149:$a: NanoCore 0x6415e:$a: NanoCore 0x6417d:$a: NanoCore 0x6d080:$a: NanoCore 0x6d0a9:$a: NanoCore 0x78e22:$a: NanoCore
3.2.new policy.scr.exe.44f2776.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x57ca1:$x1: NanoCore.ClientPluginHost 0x620cc:$x1: NanoCore.ClientPluginHost 0x6d0a9:$x1: NanoCore.ClientPluginHost 0x78e4b:$x1: NanoCore.ClientPluginHost 0x9dd4f:$x1: NanoCore.ClientPluginHost 0xad18f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x57dfe:$x2: IClientNetworkHost 0x62105:$x2: IClientNetworkHost 0x6d0c3:$x2: IClientNetworkHost 0x78e65:$x2: IClientNetworkHost 0x9dd69:$x2: IClientNetworkHost 0xad1cc:$x2: IClientNetworkHost
3.2.new policy.scr.exe.44f2776.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x57d8b:$x2: NanoCore.ClientPlugin 0x6216c:$x2: NanoCore.ClientPlugin 0x6d080:$x2: NanoCore.ClientPlugin 0x78e22:$x2: NanoCore.ClientPlugin 0x9dd26:$x2: NanoCore.ClientPlugin 0xad16a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x57ca1:$x3: NanoCore.ClientPluginHost 0x620cc:$x3: NanoCore.ClientPluginHost 0x6d0a9:$x3: NanoCore.ClientPluginHost 0x78e4b:$x3: NanoCore.ClientPluginHost 0x9dd4f:$x3: NanoCore.ClientPluginHost 0xad18f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x57da1:$i3: IClientNetwork 0x62182:$i3: IClientNetwork 0x6d071:$i3: IClientNetwork 0x78e13:$i3: IClientNetwork 0x9dd17:$i3: IClientNetwork 0xad15b:$i3: IClientNetwork
3.2.new policy.scr.exe.328f8ec.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.new policy.scr.exe.328f8ec.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.new policy.scr.exe.328f8ec.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.new policy.scr.exe.77b0000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
3.2.new policy.scr.exe.77b0000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
3.2.new policy.scr.exe.77b0000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
3.2.new policy.scr.exe.7720000.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23c1:$a1: NanoCore.ClientPluginHost 0x1d25:$a2: NanoCore.ClientPlugin 0x21c9:$b1: get_BuilderSettings 0x23db:$b4: IClientAppHost
3.2.new policy.scr.exe.7720000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23c1:$x1: NanoCore.ClientPluginHost 0x23ae:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7720000.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d25:$x2: NanoCore.ClientPlugin 0x23c1:$x3: NanoCore.ClientPluginHost 0x1ba9:$i3: IClientNetwork 0x23db:$i4: IClientAppHost 0x239e:$i5: IClientDataHost 0x23ae:$i7: IClientNetworkHost 0x1e08:$i9: IClientNameObjectCollection 0x1e24:$i10: IClientReadOnlyNameObjectCollection 0x1d2e:$s1: ClientPlugin 0x2267:$s3: IPAddress
8.2.Networks!.exe.275a4e8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.Networks!.exe.275a4e8.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xfc57:$b2: ClientLoaderForm.resources 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
8.2.Networks!.exe.275a4e8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.Networks!.exe.275a4e8.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfc94:$x1: NanoCore Client 0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.new policy.scr.exe.7930000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7930000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7930000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
3.2.new policy.scr.exe.4559c86.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
3.2.new policy.scr.exe.4559c86.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
3.2.new policy.scr.exe.4559c86.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
3.2.new policy.scr.exe.7730000.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7730000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7730000.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.new policy.scr.exe.7980000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7980000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7980000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
3.2.new policy.scr.exe.3289e68.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23c1:$a1: NanoCore.ClientPluginHost 0x1d25:$a2: NanoCore.ClientPlugin 0x21c9:$b1: get_BuilderSettings 0x23db:$b4: IClientAppHost
3.2.new policy.scr.exe.3289e68.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23c1:$x1: NanoCore.ClientPluginHost 0x23ae:$x2: IClientNetworkHost
3.2.new policy.scr.exe.3289e68.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d25:$x2: NanoCore.ClientPlugin 0x23c1:$x3: NanoCore.ClientPluginHost 0x1ba9:$i3: IClientNetwork 0x23db:$i4: IClientAppHost 0x239e:$i5: IClientDataHost 0x23ae:$i7: IClientNetworkHost 0x1e08:$i9: IClientNameObjectCollection 0x1e24:$i10: IClientReadOnlyNameObjectCollection 0x1d2e:$s1: ClientPlugin 0x2267:$s3: IPAddress
3.2.new policy.scr.exe.3289e68.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41c1:$a1: NanoCore.ClientPluginHost 0xe629:$a1: NanoCore.ClientPluginHost 0x1b797:$a1: NanoCore.ClientPluginHost 0x255eb:$a1: NanoCore.ClientPluginHost 0x2d515:$a1: NanoCore.ClientPluginHost 0x334ec:$a1: NanoCore.ClientPluginHost 0x3cf5b:$a1: NanoCore.ClientPluginHost 0x4738b:$a1: NanoCore.ClientPluginHost 0x52371:$a1: NanoCore.ClientPluginHost 0x5e11b:$a1: NanoCore.ClientPluginHost 0x69e66:$a1: NanoCore.ClientPluginHost 0x3b25:$a2: NanoCore.ClientPlugin 0xe603:$a2: NanoCore.ClientPlugin 0x1b813:$a2: NanoCore.ClientPlugin 0x25667:$a2: NanoCore.ClientPlugin 0x2d58f:$a2: NanoCore.ClientPlugin 0x33536:$a2: NanoCore.ClientPlugin 0x3d045:$a2: NanoCore.ClientPlugin 0x4742b:$a2: NanoCore.ClientPlugin 0x52348:$a2: NanoCore.ClientPlugin 0x5e0f2:$a2: NanoCore.ClientPlugin
3.2.new policy.scr.exe.3289e68.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3638:$a: NanoCore 0x3b25:$a: NanoCore 0x41c1:$a: NanoCore 0xe603:$a: NanoCore 0xe629:$a: NanoCore 0xe685:$a: NanoCore 0x1b4df:$a: NanoCore 0x1b538:$a: NanoCore 0x1b56b:$a: NanoCore 0x1b797:$a: NanoCore 0x1b813:$a: NanoCore 0x1be2c:$a: NanoCore 0x1bf75:$a: NanoCore 0x1c449:$a: NanoCore 0x1c730:$a: NanoCore 0x1c747:$a: NanoCore 0x255eb:$a: NanoCore 0x25667:$a: NanoCore 0x27f4a:$a: NanoCore 0x2d515:$a: NanoCore 0x2d58f:$a: NanoCore
3.2.new policy.scr.exe.3289e68.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41c1:$x1: NanoCore.ClientPluginHost 0xe629:$x1: NanoCore.ClientPluginHost 0x1b797:$x1: NanoCore.ClientPluginHost 0x255eb:$x1: NanoCore.ClientPluginHost 0x2d515:$x1: NanoCore.ClientPluginHost 0x334ec:$x1: NanoCore.ClientPluginHost 0x3cf5b:$x1: NanoCore.ClientPluginHost 0x4738b:$x1: NanoCore.ClientPluginHost 0x52371:$x1: NanoCore.ClientPluginHost 0x5e11b:$x1: NanoCore.ClientPluginHost 0x69e66:$x1: NanoCore.ClientPluginHost 0x41ae:$x2: IClientNetworkHost 0xe656:$x2: IClientNetworkHost 0x1b7d0:$x2: IClientNetworkHost 0x25624:$x2: IClientNetworkHost 0x2d54e:$x2: IClientNetworkHost 0x3d0b8:$x2: IClientNetworkHost 0x473c4:$x2: IClientNetworkHost 0x5238b:$x2: IClientNetworkHost 0x5e135:$x2: IClientNetworkHost 0x69ea3:$x2: IClientNetworkHost
3.2.new policy.scr.exe.3289e68.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3b25:$x2: NanoCore.ClientPlugin 0xe603:$x2: NanoCore.ClientPlugin 0x1b813:$x2: NanoCore.ClientPlugin 0x25667:$x2: NanoCore.ClientPlugin 0x2d58f:$x2: NanoCore.ClientPlugin 0x33536:$x2: NanoCore.ClientPlugin 0x3d045:$x2: NanoCore.ClientPlugin 0x4742b:$x2: NanoCore.ClientPlugin 0x52348:$x2: NanoCore.ClientPlugin 0x5e0f2:$x2: NanoCore.ClientPlugin 0x69e41:$x2: NanoCore.ClientPlugin 0x41c1:$x3: NanoCore.ClientPluginHost 0xe629:$x3: NanoCore.ClientPluginHost 0x1b797:$x3: NanoCore.ClientPluginHost 0x255eb:$x3: NanoCore.ClientPluginHost 0x2d515:$x3: NanoCore.ClientPluginHost 0x334ec:$x3: NanoCore.ClientPluginHost 0x3cf5b:$x3: NanoCore.ClientPluginHost 0x4738b:$x3: NanoCore.ClientPluginHost 0x52371:$x3: NanoCore.ClientPluginHost 0x5e11b:$x3: NanoCore.ClientPluginHost
3.2.new policy.scr.exe.59e0000.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.new policy.scr.exe.59e0000.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
3.2.new policy.scr.exe.59e0000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.new policy.scr.exe.59e0000.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
6.2.Networks!.exe.60b5958.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.new policy.scr.exe.7770000.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7770000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7770000.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
6.2.Networks!.exe.60b5958.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d406:$a1: NanoCore.ClientPluginHost 0x3d783:$a2: NanoCore.ClientPlugin 0x3d433:$b1: get_BuilderSettings 0x3c568:$b3: PluginCommand 0x3ded3:$b4: IClientAppHost 0x45450:$b5: GetBlockHash 0x3dda4:$b6: AddHostEntry 0x41608:$b7: LogClientException 0x3dd03:$b8: PipeExists 0x3dec0:$b9: IClientLoggingHost
6.2.Networks!.exe.60b5958.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3b9f9:$a: NanoCore 0x3bbb9:$a: NanoCore 0x3d3e0:$a: NanoCore 0x3d406:$a: NanoCore 0x3d783:$a: NanoCore 0x3d3e9:$b: ClientPlugin 0x3d40f:$b: ClientPlugin 0x3d78c:$b: ClientPlugin 0x3cc85:$c: ProjectData 0x423d2:$d: DESCrypto 0x4340c:$e: KeepAlive 0x41653:$g: LogClientMessage 0x3dca6:$i: get_Connected 0x3bc88:$j: #=q 0x3bccb:$j: #=q 0x3bce7:$j: #=q 0x3bd29:$j: #=q 0x3bd45:$j: #=q 0x3bd61:$j: #=q 0x3bdb9:$j: #=q 0x3be07:$j: #=q
6.2.Networks!.exe.60b5958.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d406:$x1: NanoCore.ClientPluginHost 0x3dcb4:$x2: IClientNetworkHost
6.2.Networks!.exe.60b5958.13.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3b9f9:$v1: NanoCore Client 0x3bbb9:$v1: NanoCore Client 0x3c568:$v2: PluginCommand 0x3c550:$v3: CommandType
6.2.Networks!.exe.60b5958.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3b9f9:$x1: NanoCore Client 0x3bbb9:$x1: NanoCore Client 0x3d783:$x2: NanoCore.ClientPlugin 0x3d406:$x3: NanoCore.ClientPluginHost 0x3d7e0:$i1: IClientApp 0x3d777:$i2: IClientData 0x3d7b5:$i3: IClientNetwork 0x3ded3:$i4: IClientAppHost 0x3d3f6:$i5: IClientDataHost 0x3dec0:$i6: IClientLoggingHost 0x3dcb4:$i7: IClientNetworkHost 0x3deb2:$i8: IClientUIHost 0x3d3c4:$i9: IClientNameObjectCollection 0x3d447:$i10: IClientReadOnlyNameObjectCollection 0x3d3e9:$s1: ClientPlugin 0x3d78c:$s1: ClientPlugin 0x44316:$s2: EndPoint 0x3c97f:$s3: IPAddress 0x434ed:$s4: IPEndPoint 0x3d420:$s6: get_ClientSettings 0x3dca6:$s7: get_Connected
3.2.new policy.scr.exe.7950000.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7950000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7950000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
0.2.new policy.scr.exe.42c7788.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.new policy.scr.exe.42c7788.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d406:$a1: NanoCore.ClientPluginHost 0x3d783:$a2: NanoCore.ClientPlugin 0x3d433:$b1: get_BuilderSettings 0x3c568:$b3: PluginCommand 0x3ded3:$b4: IClientAppHost 0x45450:$b5: GetBlockHash 0x3dda4:$b6: AddHostEntry 0x41608:$b7: LogClientException 0x3dd03:$b8: PipeExists 0x3dec0:$b9: IClientLoggingHost
0.2.new policy.scr.exe.42c7788.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3b9f9:$a: NanoCore 0x3bbb9:$a: NanoCore 0x3d3e0:$a: NanoCore 0x3d406:$a: NanoCore 0x3d783:$a: NanoCore 0x3d3e9:$b: ClientPlugin 0x3d40f:$b: ClientPlugin 0x3d78c:$b: ClientPlugin 0x3cc85:$c: ProjectData 0x423d2:$d: DESCrypto 0x4340c:$e: KeepAlive 0x41653:$g: LogClientMessage 0x3dca6:$i: get_Connected 0x3bc88:$j: #=q 0x3bccb:$j: #=q 0x3bce7:$j: #=q 0x3bd29:$j: #=q 0x3bd45:$j: #=q 0x3bd61:$j: #=q 0x3bdb9:$j: #=q 0x3be07:$j: #=q
0.2.new policy.scr.exe.42c7788.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d406:$x1: NanoCore.ClientPluginHost 0x3dcb4:$x2: IClientNetworkHost
0.2.new policy.scr.exe.42c7788.8.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3b9f9:$v1: NanoCore Client 0x3bbb9:$v1: NanoCore Client 0x3c568:$v2: PluginCommand 0x3c550:$v3: CommandType
0.2.new policy.scr.exe.42c7788.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3b9f9:$x1: NanoCore Client 0x3bbb9:$x1: NanoCore Client 0x3d783:$x2: NanoCore.ClientPlugin 0x3d406:$x3: NanoCore.ClientPluginHost 0x3d7e0:$i1: IClientApp 0x3d777:$i2: IClientData 0x3d7b5:$i3: IClientNetwork 0x3ded3:$i4: IClientAppHost 0x3d3f6:$i5: IClientDataHost 0x3dec0:$i6: IClientLoggingHost 0x3dcb4:$i7: IClientNetworkHost 0x3deb2:$i8: IClientUIHost 0x3d3c4:$i9: IClientNameObjectCollection 0x3d447:$i10: IClientReadOnlyNameObjectCollection 0x3d3e9:$s1: ClientPlugin 0x3d78c:$s1: ClientPlugin 0x44316:$s2: EndPoint 0x3c97f:$s3: IPAddress 0x434ed:$s4: IPEndPoint 0x3d420:$s6: get_ClientSettings 0x3dca6:$s7: get_Connected
3.2.new policy.scr.exe.77d0000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
3.2.new policy.scr.exe.77d0000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
3.2.new policy.scr.exe.77d0000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
3.2.new policy.scr.exe.7950000.25.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7950000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7950000.25.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.new policy.scr.exe.4405860.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.4405860.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.new policy.scr.exe.4405860.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
0.2.new policy.scr.exe.5af0000.16.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.new policy.scr.exe.4d192f0.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
8.2.Networks!.exe.373ff94.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.Networks!.exe.373ff94.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
8.2.Networks!.exe.373ff94.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.Networks!.exe.373ff94.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.new policy.scr.exe.7980000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7980000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7980000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
3.2.new policy.scr.exe.7760000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7760000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7760000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
3.2.new policy.scr.exe.43f7444.9.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
3.2.new policy.scr.exe.43f7444.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.2.new policy.scr.exe.43f7444.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
3.2.new policy.scr.exe.4550e57.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.new policy.scr.exe.4550e57.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.new policy.scr.exe.4550e57.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.new policy.scr.exe.795e8a4.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.new policy.scr.exe.795e8a4.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.new policy.scr.exe.795e8a4.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.new policy.scr.exe.4559c86.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
3.2.new policy.scr.exe.4559c86.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
3.2.new policy.scr.exe.4559c86.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.new policy.scr.exe.4405860.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.new policy.scr.exe.4405860.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.new policy.scr.exe.4405860.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.new policy.scr.exe.7954c9f.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.new policy.scr.exe.7954c9f.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.new policy.scr.exe.7954c9f.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
6.2.Networks!.exe.60b5958.13.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.Networks!.exe.60b5958.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3b606:$a1: NanoCore.ClientPluginHost 0x3b983:$a2: NanoCore.ClientPlugin 0x3b633:$b1: get_BuilderSettings 0x3a768:$b3: PluginCommand 0x3c0d3:$b4: IClientAppHost 0x43650:$b5: GetBlockHash 0x3bfa4:$b6: AddHostEntry 0x3f808:$b7: LogClientException 0x3bf03:$b8: PipeExists 0x3c0c0:$b9: IClientLoggingHost
6.2.Networks!.exe.60b5958.13.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x39bf9:$a: NanoCore 0x39db9:$a: NanoCore 0x3b5e0:$a: NanoCore 0x3b606:$a: NanoCore 0x3b983:$a: NanoCore 0x3b5e9:$b: ClientPlugin 0x3b60f:$b: ClientPlugin 0x3b98c:$b: ClientPlugin 0x3ae85:$c: ProjectData 0x405d2:$d: DESCrypto 0x4160c:$e: KeepAlive 0x3f853:$g: LogClientMessage 0x3bea6:$i: get_Connected 0x39e88:$j: #=q 0x39ecb:$j: #=q 0x39ee7:$j: #=q 0x39f29:$j: #=q 0x39f45:$j: #=q 0x39f61:$j: #=q 0x39fb9:$j: #=q 0x3a007:$j: #=q
6.2.Networks!.exe.60b5958.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3b606:$x1: NanoCore.ClientPluginHost 0x3beb4:$x2: IClientNetworkHost
6.2.Networks!.exe.60b5958.13.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x39bf9:$v1: NanoCore Client 0x39db9:$v1: NanoCore Client 0x3a768:$v2: PluginCommand 0x3a750:$v3: CommandType
6.2.Networks!.exe.60b5958.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x39bf9:$x1: NanoCore Client 0x39db9:$x1: NanoCore Client 0x3b983:$x2: NanoCore.ClientPlugin 0x3b606:$x3: NanoCore.ClientPluginHost 0x3b9e0:$i1: IClientApp 0x3b977:$i2: IClientData 0x3b9b5:$i3: IClientNetwork 0x3c0d3:$i4: IClientAppHost 0x3b5f6:$i5: IClientDataHost 0x3c0c0:$i6: IClientLoggingHost 0x3beb4:$i7: IClientNetworkHost 0x3c0b2:$i8: IClientUIHost 0x3b5c4:$i9: IClientNameObjectCollection 0x3b647:$i10: IClientReadOnlyNameObjectCollection 0x3b5e9:$s1: ClientPlugin 0x3b98c:$s1: ClientPlugin 0x42516:$s2: EndPoint 0x3ab7f:$s3: IPAddress 0x416ed:$s4: IPEndPoint 0x3b620:$s6: get_ClientSettings 0x3bea6:$s7: get_Connected
3.2.new policy.scr.exe.328f8ec.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d13:$a1: NanoCore.ClientPluginHost 0x1fb67:$a1: NanoCore.ClientPluginHost 0x27a91:$a1: NanoCore.ClientPluginHost 0x2da68:$a1: NanoCore.ClientPluginHost 0x374d7:$a1: NanoCore.ClientPluginHost 0x41907:$a1: NanoCore.ClientPluginHost 0x4c8ed:$a1: NanoCore.ClientPluginHost 0x58697:$a1: NanoCore.ClientPluginHost 0x643e2:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d8f:$a2: NanoCore.ClientPlugin 0x1fbe3:$a2: NanoCore.ClientPlugin 0x27b0b:$a2: NanoCore.ClientPlugin 0x2dab2:$a2: NanoCore.ClientPlugin 0x375c1:$a2: NanoCore.ClientPlugin 0x419a7:$a2: NanoCore.ClientPlugin 0x4c8c4:$a2: NanoCore.ClientPlugin 0x5866e:$a2: NanoCore.ClientPlugin 0x643bd:$a2: NanoCore.ClientPlugin 0x643d3:$b4: IClientAppHost
3.2.new policy.scr.exe.328f8ec.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5b:$a: NanoCore 0x15ab4:$a: NanoCore 0x15ae7:$a: NanoCore 0x15d13:$a: NanoCore 0x15d8f:$a: NanoCore 0x163a8:$a: NanoCore 0x164f1:$a: NanoCore 0x169c5:$a: NanoCore 0x16cac:$a: NanoCore 0x16cc3:$a: NanoCore 0x1fb67:$a: NanoCore 0x1fbe3:$a: NanoCore 0x224c6:$a: NanoCore 0x27a91:$a: NanoCore 0x27b0b:$a: NanoCore 0x2da68:$a: NanoCore 0x2dab2:$a: NanoCore 0x2e70c:$a: NanoCore
3.2.new policy.scr.exe.328f8ec.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d13:$x1: NanoCore.ClientPluginHost 0x1fb67:$x1: NanoCore.ClientPluginHost 0x27a91:$x1: NanoCore.ClientPluginHost 0x2da68:$x1: NanoCore.ClientPluginHost 0x374d7:$x1: NanoCore.ClientPluginHost 0x41907:$x1: NanoCore.ClientPluginHost 0x4c8ed:$x1: NanoCore.ClientPluginHost 0x58697:$x1: NanoCore.ClientPluginHost 0x643e2:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d4c:$x2: IClientNetworkHost 0x1fba0:$x2: IClientNetworkHost 0x27aca:$x2: IClientNetworkHost 0x37634:$x2: IClientNetworkHost 0x41940:$x2: IClientNetworkHost 0x4c907:$x2: IClientNetworkHost 0x586b1:$x2: IClientNetworkHost 0x6441f:$x2: IClientNetworkHost
3.2.new policy.scr.exe.328f8ec.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8f:$x2: NanoCore.ClientPlugin 0x1fbe3:$x2: NanoCore.ClientPlugin 0x27b0b:$x2: NanoCore.ClientPlugin 0x2dab2:$x2: NanoCore.ClientPlugin 0x375c1:$x2: NanoCore.ClientPlugin 0x419a7:$x2: NanoCore.ClientPlugin 0x4c8c4:$x2: NanoCore.ClientPlugin 0x5866e:$x2: NanoCore.ClientPlugin 0x643bd:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d13:$x3: NanoCore.ClientPluginHost 0x1fb67:$x3: NanoCore.ClientPluginHost 0x27a91:$x3: NanoCore.ClientPluginHost 0x2da68:$x3: NanoCore.ClientPluginHost 0x374d7:$x3: NanoCore.ClientPluginHost 0x41907:$x3: NanoCore.ClientPluginHost 0x4c8ed:$x3: NanoCore.ClientPluginHost 0x58697:$x3: NanoCore.ClientPluginHost 0x643e2:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
0.2.new policy.scr.exe.4af4e70.13.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
3.2.new policy.scr.exe.3255830.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.new policy.scr.exe.3255830.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x387f9:$a1: NanoCore.ClientPluginHost 0x42c61:$a1: NanoCore.ClientPluginHost 0x4fdcf:$a1: NanoCore.ClientPluginHost 0x59c23:$a1: NanoCore.ClientPluginHost 0x61b4d:$a1: NanoCore.ClientPluginHost 0x67b24:$a1: NanoCore.ClientPluginHost 0x71593:$a1: NanoCore.ClientPluginHost 0x7b9c3:$a1: NanoCore.ClientPluginHost 0x869a9:$a1: NanoCore.ClientPluginHost 0x92753:$a1: NanoCore.ClientPluginHost 0x9e49e:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x3815d:$a2: NanoCore.ClientPlugin 0x42c3b:$a2: NanoCore.ClientPlugin 0x4fe4b:$a2: NanoCore.ClientPlugin 0x59c9f:$a2: NanoCore.ClientPlugin 0x61bc7:$a2: NanoCore.ClientPlugin 0x67b6e:$a2: NanoCore.ClientPlugin 0x7167d:$a2: NanoCore.ClientPlugin 0x7ba63:$a2: NanoCore.ClientPlugin
3.2.new policy.scr.exe.3255830.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x37c70:$a: NanoCore 0x3815d:$a: NanoCore 0x387f9:$a: NanoCore 0x42c3b:$a: NanoCore 0x42c61:$a: NanoCore 0x42cbd:$a: NanoCore 0x4fb17:$a: NanoCore 0x4fb70:$a: NanoCore 0x4fba3:$a: NanoCore 0x4fdcf:$a: NanoCore 0x4fe4b:$a: NanoCore 0x50464:$a: NanoCore 0x505ad:$a: NanoCore 0x50a81:$a: NanoCore 0x50d68:$a: NanoCore 0x50d7f:$a: NanoCore 0x59c23:$a: NanoCore
3.2.new policy.scr.exe.3255830.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x387f9:$x1: NanoCore.ClientPluginHost 0x42c61:$x1: NanoCore.ClientPluginHost 0x4fdcf:$x1: NanoCore.ClientPluginHost 0x59c23:$x1: NanoCore.ClientPluginHost 0x61b4d:$x1: NanoCore.ClientPluginHost 0x67b24:$x1: NanoCore.ClientPluginHost 0x71593:$x1: NanoCore.ClientPluginHost 0x7b9c3:$x1: NanoCore.ClientPluginHost 0x869a9:$x1: NanoCore.ClientPluginHost 0x92753:$x1: NanoCore.ClientPluginHost 0x9e49e:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x387e6:$x2: IClientNetworkHost 0x42c8e:$x2: IClientNetworkHost 0x4fe08:$x2: IClientNetworkHost 0x59c5c:$x2: IClientNetworkHost 0x61b86:$x2: IClientNetworkHost 0x716f0:$x2: IClientNetworkHost 0x7b9fc:$x2: IClientNetworkHost 0x869c3:$x2: IClientNetworkHost
3.2.new policy.scr.exe.3255830.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x3815d:$x2: NanoCore.ClientPlugin 0x42c3b:$x2: NanoCore.ClientPlugin 0x4fe4b:$x2: NanoCore.ClientPlugin 0x59c9f:$x2: NanoCore.ClientPlugin 0x61bc7:$x2: NanoCore.ClientPlugin 0x67b6e:$x2: NanoCore.ClientPlugin 0x7167d:$x2: NanoCore.ClientPlugin 0x7ba63:$x2: NanoCore.ClientPlugin 0x86980:$x2: NanoCore.ClientPlugin 0x9272a:$x2: NanoCore.ClientPlugin 0x9e479:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x387f9:$x3: NanoCore.ClientPluginHost 0x42c61:$x3: NanoCore.ClientPluginHost 0x4fdcf:$x3: NanoCore.ClientPluginHost 0x59c23:$x3: NanoCore.ClientPluginHost 0x61b4d:$x3: NanoCore.ClientPluginHost 0x67b24:$x3: NanoCore.ClientPluginHost 0x71593:$x3: NanoCore.ClientPluginHost 0x7b9c3:$x3: NanoCore.ClientPluginHost
0.2.new policy.scr.exe.49e0650.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 202 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\new policy.scr.exe, ProcessId: 7784, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\new policy.scr.exe, ProcessId: 7784, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 78.159.112.29, DestinationIsIpv6: false, DestinationPort: 65535, EventID: 3, Image: C:\Users\user\Desktop\new policy.scr.exe, Initiated: true, ProcessId: 7784, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Networks!.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\new policy.scr.exe, ProcessId: 7496, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Networks!

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\new policy.scr.exe, ProcessId: 7784, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\new policy.scr.exe, ProcessId: 7784, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Suricata Signatures

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:51.945139+0200
SID:	2046914
Severity:	1
Source Port:	53338
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:51.945139+0200
SID:	2816718
Severity:	1
Source Port:	53338
Destination Port:	65535
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:51.945139+0200
SID:	2822326
Severity:	1
Source Port:	53338
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:52.225710+0200
SID:	2025019
Severity:	1
Source Port:	53338
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:10.373760+0200
SID:	2025019
Severity:	1
Source Port:	53341
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:47.258163+0200
SID:	2025019
Severity:	1
Source Port:	53349
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:04.358576+0200
SID:	2025019
Severity:	1
Source Port:	53340
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:26.186842+0200
SID:	2046914
Severity:	1
Source Port:	49736
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:26.186842+0200
SID:	2822326
Severity:	1
Source Port:	49736
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:33.570041+0200
SID:	2046914
Severity:	1
Source Port:	49738
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:33.570041+0200
SID:	2822326
Severity:	1
Source Port:	49738
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:32.391052+0200
SID:	2025019
Severity:	1
Source Port:	49738
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:10.085937+0200
SID:	2046914
Severity:	1
Source Port:	53341
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:10.085937+0200
SID:	2822326
Severity:	1
Source Port:	53341
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:32.583546+0200
SID:	2046914
Severity:	1
Source Port:	49738
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:32.583546+0200
SID:	2822326
Severity:	1
Source Port:	49738
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:45.898179+0200
SID:	2046914
Severity:	1
Source Port:	53337
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:45.898179+0200
SID:	2822326
Severity:	1
Source Port:	53337
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:37.309593+0200
SID:	2025019
Severity:	1
Source Port:	53347
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:51.647127+0200
SID:	2025019
Severity:	1
Source Port:	53350
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:39.007469+0200
SID:	2025019
Severity:	1
Source Port:	49739
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:40.488029+0200
SID:	2025019
Severity:	1
Source Port:	49739
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:56.975054+0200
SID:	2025019
Severity:	1
Source Port:	53339
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:15.115651+0200
SID:	2025019
Severity:	1
Source Port:	53343
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:09.084125+0200
SID:	2025019
Severity:	1
Source Port:	53341
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:40.248701+0200
SID:	2855924
Severity:	1
Source Port:	49737
Destination Port:	7076
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:58.248252+0200
SID:	2025019
Severity:	1
Source Port:	53339
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:54:31.726853+0200
SID:	2853193
Severity:	1
Source Port:	49737
Destination Port:	7076
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:21.268246+0200
SID:	2025019
Severity:	1
Source Port:	53344
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:18.308341+0200
SID:	2025019
Severity:	1
Source Port:	49732
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:09.089003+0200
SID:	2046914
Severity:	1
Source Port:	53341
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:09.089003+0200
SID:	2822326
Severity:	1
Source Port:	53341
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:33.707425+0200
SID:	2025019
Severity:	1
Source Port:	49738
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:45.043283+0200
SID:	2025019
Severity:	1
Source Port:	53337
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:42.181451+0200
SID:	2025019
Severity:	1
Source Port:	53348
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:22.732899+0200
SID:	2025019
Severity:	1
Source Port:	53344
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:57.992081+0200
SID:	2046914
Severity:	1
Source Port:	53339
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:57.992081+0200
SID:	2822326
Severity:	1
Source Port:	53339
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:27.296509+0200
SID:	2025019
Severity:	1
Source Port:	53345
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:50.934010+0200
SID:	2046914
Severity:	1
Source Port:	53338
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:50.934010+0200
SID:	2822326
Severity:	1
Source Port:	53338
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:16.431919+0200
SID:	2025019
Severity:	1
Source Port:	53343
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:50.927566+0200
SID:	2025019
Severity:	1
Source Port:	53338
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:03.039239+0200
SID:	2025019
Severity:	1
Source Port:	53340
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT Keepalive Response 1 - Source IP: 78.159.112.29 - Destination IP: 192.168.2.4

Timestamp:	2024-08-31T09:53:22.567721+0200
SID:	2046909
Severity:	1
Source Port:	65535
Destination Port:	53344
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:25.215778+0200
SID:	2025019
Severity:	1
Source Port:	49736
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:42.226462+0200
SID:	2046914
Severity:	1
Source Port:	53348
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:42.226462+0200
SID:	2822326
Severity:	1
Source Port:	53348
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:27.203037+0200
SID:	2046914
Severity:	1
Source Port:	49736
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:27.203037+0200
SID:	2822326
Severity:	1
Source Port:	49736
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:04.054663+0200
SID:	2046914
Severity:	1
Source Port:	53340
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:04.054663+0200
SID:	2822326
Severity:	1
Source Port:	53340
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:20.056405+0200
SID:	2046914
Severity:	1
Source Port:	49732
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:20.056405+0200
SID:	2822326
Severity:	1
Source Port:	49732
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:26.924955+0200
SID:	2025019
Severity:	1
Source Port:	49736
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:46.335004+0200
SID:	2025019
Severity:	1
Source Port:	53337
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:16.085785+0200
SID:	2046914
Severity:	1
Source Port:	53343
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:16.085785+0200
SID:	2822326
Severity:	1
Source Port:	53343
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:56.991962+0200
SID:	2046914
Severity:	1
Source Port:	53339
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:56.991962+0200
SID:	2822326
Severity:	1
Source Port:	53339
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:32.160686+0200
SID:	2025019
Severity:	1
Source Port:	53346
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:19.054786+0200
SID:	2046914
Severity:	1
Source Port:	49732
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:19.054786+0200
SID:	2822326
Severity:	1
Source Port:	49732
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:39.835725+0200
SID:	2046914
Severity:	1
Source Port:	49739
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:52:39.835725+0200
SID:	2822326
Severity:	1
Source Port:	49739
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:22.088477+0200
SID:	2046914
Severity:	1
Source Port:	53344
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE NanoCore RAT CnC 19 - Source IP: 192.168.2.4 - Destination IP: 78.159.112.29

Timestamp:	2024-08-31T09:53:22.088477+0200
SID:	2822326
Severity:	1
Source Port:	53344
Destination Port:	65535
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: new policy.scr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Avira: detection malicious, Label: HEUR/AGEN.1323683

Found malware configuration

Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7065c9a5-e7ef-4b4a-9ad2-3b36dc82", "Group": "JksonN", "Domain1": "jacksonnnn233.theworkpc.com", "Domain2": "", "Port": 65535, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["airlineagancy.casacam.net"], "Port": "7076", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Networks!.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Virustotal: Detection: 56%			Perma Link

Multi AV Scanner detection for submitted file

Source: new policy.scr.exe	ReversingLabs: Detection: 55%
Source: new policy.scr.exe	Virustotal: Detection: 56%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: new policy.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: airlineagancy.casacam.net
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: 7076
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack	String decryptor: USB.exe

Source: new policy.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: new policy.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05C0D780
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D56B5Ch	0_2_05D56AD8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D5D260h	0_2_05D5D1A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D5D260h	0_2_05D5D1A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then jmp 05D56B5Ch	0_2_05D56AC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_077510B3
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_07756D10
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_07756D00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B530BD
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B51A00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B51A08
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	6_2_02B519B9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52FD9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52DB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 02B52E8Ah	6_2_02B52DC0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	6_2_05C4D780
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D96B5Ch	6_2_05D96AD8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D9D260h	6_2_05D9D1A8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D9D260h	6_2_05D9D1A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05D96B5Ch	6_2_05D96AC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F130BD
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F13138
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F119B9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F11A00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	7_2_00F11A08
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12DC0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12DB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 00F12E8Ah	7_2_00F12FD9
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_057FD780
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05946B5Ch	7_2_05946AD8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 0594D260h	7_2_0594D1A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 0594D260h	7_2_0594D1A8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 4x nop then jmp 05946B5Ch	7_2_05946AC8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 78.159.112.29:7076
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49739 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49736 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53337 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53344 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046909 - Severity 1 - ET MALWARE NanoCore RAT Keepalive Response 1 : 78.159.112.29:65535 -> 192.168.2.4:53344
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53339 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49738 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53345 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53347 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53349 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53341 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53348 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53340 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49737 -> 78.159.112.29:7076
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53346 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53350 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.4:53343 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.4:53338 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:49732 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.4:53343 -> 78.159.112.29:65535
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.4:53343 -> 78.159.112.29:65535

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: airlineagancy.casacam.net
Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: jacksonnnn233.theworkpc.com

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 78.159.112.29:65535

Source: Joe Sandbox View

ASN Name: LEASEWEB-DE-FRA-10DE LEASEWEB-DE-FRA-10DE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: jacksonnnn233.theworkpc.com
Source: global traffic	DNS traffic detected: DNS query: airlineagancy.casacam.net
Source: global traffic	DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa

Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.0000000002511000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2232333043.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2324492421.00000000047C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.0000000002986000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_a586111e-f

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Networks!.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5FBD0 NtResumeThread,	0_2_05D5FBD0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E6E0 NtProtectVirtualMemory,	0_2_05D5E6E0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5FBC8 NtResumeThread,	0_2_05D5FBC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E6DB NtProtectVirtualMemory,	0_2_05D5E6DB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9FBD0 NtResumeThread,	6_2_05D9FBD0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E6E0 NtProtectVirtualMemory,	6_2_05D9E6E0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9FBC8 NtResumeThread,	6_2_05D9FBC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E6DB NtProtectVirtualMemory,	6_2_05D9E6DB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594FBD0 NtResumeThread,	7_2_0594FBD0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E6E0 NtProtectVirtualMemory,	7_2_0594E6E0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594FBC8 NtResumeThread,	7_2_0594FBC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E6D9 NtProtectVirtualMemory,	7_2_0594E6D9

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D6BC8	0_2_013D6BC8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013DB178	0_2_013DB178
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D6BB8	0_2_013D6BB8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_013D7638	0_2_013D7638
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_053505F8	0_2_053505F8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_053505E8	0_2_053505E8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E7C48	0_2_059E7C48
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E0040	0_2_059E0040
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6E88	0_2_059E6E88
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E0006	0_2_059E0006
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E7C38	0_2_059E7C38
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E8048	0_2_059E8048
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6710	0_2_059E6710
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E6720	0_2_059E6720
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E1290	0_2_059E1290
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E12A0	0_2_059E12A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059E8200	0_2_059E8200
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF2CF1	0_2_05BF2CF1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF3087	0_2_05BF3087
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BF4368	0_2_05BF4368
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5B928	0_2_05D5B928
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D598B0	0_2_05D598B0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E458	0_2_05D5E458
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D52EB8	0_2_05D52EB8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5B918	0_2_05D5B918
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D598A0	0_2_05D598A0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5E44B	0_2_05D5E44B
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D59C03	0_2_05D59C03
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5AE10	0_2_05D5AE10
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D5AE00	0_2_05D5AE00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7EFA0	0_2_05E7EFA0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7FB00	0_2_05E7FB00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E7D088	0_2_05E7D088
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E60040	0_2_05E60040
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E60006	0_2_05E60006
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Code function: 2_2_00007FFD9BAC6D69	2_2_00007FFD9BAC6D69
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Code function: 2_2_00007FFD9BAC5FB9	2_2_00007FFD9BAC5FB9
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588E5D8	3_2_0588E5D8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_05883471	3_2_05883471
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588DE00	3_2_0588DE00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588F1F0	3_2_0588F1F0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588B098	3_2_0588B098
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588B0A8	3_2_0588B0A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588FAD0	3_2_0588FAD0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077554B8	3_2_077554B8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775E3F8	3_2_0775E3F8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775DB28	3_2_0775DB28
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07755A00	3_2_07755A00
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07759850	3_2_07759850
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775D7E0	3_2_0775D7E0
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775A526	3_2_0775A526
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775A468	3_2_0775A468
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077554A8	3_2_077554A8
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_077559F1	3_2_077559F1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0775E8F8	3_2_0775E8F8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B26BC8	6_2_02B26BC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B2B178	6_2_02B2B178
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B26BBF	6_2_02B26BBF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B2765B	6_2_02B2765B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B59EF0	6_2_02B59EF0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5E707	6_2_02B5E707
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B56A10	6_2_02B56A10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5E9E5	6_2_02B5E9E5
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B59EE1	6_2_02B59EE1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5ECB0	6_2_02B5ECB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B5ECAE	6_2_02B5ECAE
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A20040	6_2_05A20040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A27C48	6_2_05A27C48
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26E88	6_2_05A26E88
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A2003B	6_2_05A2003B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A27C38	6_2_05A27C38
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26720	6_2_05A26720
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A26710	6_2_05A26710
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A212A0	6_2_05A212A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A21290	6_2_05A21290
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A28200	6_2_05A28200
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C32D50	6_2_05C32D50
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C33087	6_2_05C33087
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C34368	6_2_05C34368
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9B928	6_2_05D9B928
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D998B0	6_2_05D998B0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E458	6_2_05D9E458
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D92EB8	6_2_05D92EB8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9B918	6_2_05D9B918
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D998A0	6_2_05D998A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9E44B	6_2_05D9E44B
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D99C03	6_2_05D99C03
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9AE10	6_2_05D9AE10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D9AE00	6_2_05D9AE00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBEFA0	6_2_05EBEFA0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBFB00	6_2_05EBFB00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EBD088	6_2_05EBD088
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EA0040	6_2_05EA0040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05EA0021	6_2_05EA0021
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF6BC8	7_2_00DF6BC8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DFB178	7_2_00DFB178
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF6BB8	7_2_00DF6BB8
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00DF735D	7_2_00DF735D
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F19EF0	7_2_00F19EF0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1E707	7_2_00F1E707
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1E9E5	7_2_00F1E9E5
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F16A10	7_2_00F16A10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1ECB0	7_2_00F1ECB0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F1ECAF	7_2_00F1ECAF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F19EE1	7_2_00F19EE1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D7C48	7_2_055D7C48
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D0040	7_2_055D0040
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6E88	7_2_055D6E88
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D0006	7_2_055D0006
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D7C38	7_2_055D7C38
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6710	7_2_055D6710
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D6720	7_2_055D6720
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D8200	7_2_055D8200
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D1290	7_2_055D1290
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055D12A0	7_2_055D12A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E4368	7_2_057E4368
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E2CF1	7_2_057E2CF1
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E0F1A	7_2_057E0F1A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057EB5AF	7_2_057EB5AF
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057E3087	7_2_057E3087
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594B928	7_2_0594B928
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059498B0	7_2_059498B0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E458	7_2_0594E458
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594B918	7_2_0594B918
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059498A0	7_2_059498A0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05949C03	7_2_05949C03
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594304A	7_2_0594304A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594E44A	7_2_0594E44A
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594AE10	7_2_0594AE10
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_0594AE00	7_2_0594AE00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6EFA0	7_2_05A6EFA0
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6FB00	7_2_05A6FB00
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A6D088	7_2_05A6D088
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A50007	7_2_05A50007
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05A50040	7_2_05A50040

Source: C:\Users\user\Desktop\new policy.scr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336

Source: new policy.scr.exe, 00000000.00000002.1883536648.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCpshapibpvz.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000002.1862029930.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000000.00000000.1641044218.0000000000992000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.0000000004268000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll" vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870782033.000000000798E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.0000000004281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2859613130.0000000005C30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007978000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs new policy.scr.exe
Source: new policy.scr.exe, 00000003.00000002.2831215910.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs new policy.scr.exe
Source: new policy.scr.exe	Binary or memory string: OriginalFilenameOwjefxd.exe0 vs new policy.scr.exe

Source: new policy.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7790000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.Networks!.exe.3e7b15e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7920000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7920000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7930000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77b0000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.440a4ff.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7720000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7770000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77a0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4550e57.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.44f2776.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7790000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77d0000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7730000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.5980000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.43f7444.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.44f2776.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.328f8ec.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77b0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7720000.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7930000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4559c86.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7730000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7980000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3289e68.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3289e68.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7770000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7950000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.77d0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7950000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4405860.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7980000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7760000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.43f7444.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4550e57.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.795e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4559c86.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.4405860.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.7954c9f.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.328f8ec.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Networks!.exe PID: 3720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: airlineagancy.casacam.net 7076.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: airlineagancy.casacam.net 7076.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: airlineagancy.casacam.net 7076.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: airlineagancy.casacam.net 7076.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: airlineagancy.casacam.net 7076.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/9@19/1

Source: C:\Users\user\Desktop\new policy.scr.exe

File created: C:\Users\user\AppData\Roaming\Networks!.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Mutant created: \Sessions\1\BaseNamedObjects\BGCigTdLypaes6Nr
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\new policy.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7065c9a5-e7ef-4b4a-9ad2-3b36dc826073}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:64:WilError_03

Source: C:\Users\user\Desktop\new policy.scr.exe

File created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

Jump to behavior

Source: new policy.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: new policy.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\new policy.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: new policy.scr.exe	ReversingLabs: Detection: 55%
Source: new policy.scr.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\new policy.scr.exe

File read: C:\Users\user\Desktop\new policy.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\new policy.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: new policy.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: new policy.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: new policy.scr.exe

Static file information: File size 2360320 > 1048576

Source: new policy.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x22f000

Source: new policy.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1883175138.00000000052F0000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2239294193.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\ARM\Desktop\ncsource\Plugins\CorePlugin\CoreClientPlugin\obj\Release\CoreClientPlugin.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: new policy.scr.exe, ParamCreatorObject.cs	.Net Code: MapSingleton System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	.Net Code: Memory
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.Networks!.exe.4a592f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Networks!.exe.46792f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.5af0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.4d192f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.4af4e70.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.49e0650.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2303284343.000000000297D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1884977634.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2324492421.0000000004679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2232333043.0000000004A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR

Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_059EB76B pushfd ; retf	0_2_059EB76E
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BFD170 push 8B6C5ADFh; iretd	0_2_05BFD175
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05BFD320 pushad ; retf	0_2_05BFD321
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05C0328E push edi; iretd	0_2_05C03291
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05D570FA push eax; retf	0_2_05D570FB
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 0_2_05E67F92 push 00000031h; retf	0_2_05E67F94
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588D88F push DA0588D1h; ret	3_2_0588D8C9
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_0588D8CB push ss; ret	3_2_0588D8D1
Source: C:\Users\user\Desktop\new policy.scr.exe	Code function: 3_2_07757F28 push esp; ret	3_2_07757F29
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_02B546C4 push edx; iretd	6_2_02B546D2
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05A2B76B pushfd ; retf	6_2_05A2B76E
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C3D170 push 8B6C56DFh; iretd	6_2_05C3D175
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C3D320 pushad ; retf	6_2_05C3D321
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05C4328E push edi; iretd	6_2_05C43291
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 6_2_05D970FA push eax; retf	6_2_05D970FB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_00F146BF push edx; iretd	7_2_00F146D2
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_05590D72 push eax; iretd	7_2_05590D1D
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_055DB76B pushfd ; retf	7_2_055DB76E
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057ED170 push 8B6C9BDFh; iretd	7_2_057ED175
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057ED320 pushad ; retf	7_2_057ED321
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_057F328E push edi; iretd	7_2_057F3291
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 7_2_059470FA push eax; retf	7_2_059470FB
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Code function: 9_2_05A073CD push FFFFFF8Bh; iretd	9_2_05A073CF

Source: C:\Users\user\Desktop\new policy.scr.exe	File created: C:\Users\user\AppData\Roaming\Networks!.exe			Jump to dropped file
Source: C:\Users\user\Desktop\new policy.scr.exe	File created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\new policy.scr.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!			Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Networks!			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\new policy.scr.exe

File opened: C:\Users\user\Desktop\new policy.scr.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Memory allocated: 1A510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Memory allocated: 5200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 5800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 26F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 13F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory allocated: 4E30000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Window / User API: threadDelayed 4580	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Window / User API: threadDelayed 5192	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: threadDelayed 5225	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: threadDelayed 4600	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: foregroundWindowGot 696	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Window / User API: foregroundWindowGot 923	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8076	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8076	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8080	Thread sleep count: 4580 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe TID: 8080	Thread sleep count: 5192 > 30	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe TID: 7856	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe TID: 3120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Networks!.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Thread delayed: delay time: 922337203685477

Source: Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: new policy.scr.exe, 00000000.00000002.1884717220.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: new policy.scr.exe, 00000003.00000002.2862345788.00000000066BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4091977760.00000000007B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\new policy.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

Code function: 3_2_0145D01C LdrInitializeThunk,

3_2_0145D01C

Source: C:\Users\user\Desktop\new policy.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: airlineagancy.casacam.net 7076.exe.0.dr, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.new policy.scr.exe.4ed2b40.4.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\new policy.scr.exe	Memory written: C:\Users\user\Desktop\new policy.scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory written: C:\Users\user\AppData\Roaming\Networks!.exe base: 700000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Memory written: C:\Users\user\AppData\Roaming\Networks!.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe "C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Process created: C:\Users\user\Desktop\new policy.scr.exe "C:\Users\user\Desktop\new policy.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Process created: C:\Users\user\AppData\Roaming\Networks!.exe "C:\Users\user\AppData\Roaming\Networks!.exe"	Jump to behavior

Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<
Source: new policy.scr.exe, 00000003.00000002.2865661587.000000000714B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003403000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|>@
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q6k
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003430000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000339E000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000034EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx5f
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003451000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000034EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXGO
Source: new policy.scr.exe, 00000003.00000002.2862287242.000000000669C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Ck
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000034AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q</N
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHq
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003516000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000340A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,mk
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,#}
Source: new policy.scr.exe, 00000003.00000002.2879812341.0000000007ECC000.00000004.00000010.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2879987019.000000000800C000.00000004.00000010.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2832562480.000000000181E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerManager
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,Me
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhgo
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0~S
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP'Q
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003511000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003516000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdXt
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHQU
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qvd
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Zo
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTQd
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000332F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql\a
Source: new policy.scr.exe, 00000003.00000002.2865122228.0000000006D8E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtGe
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000339E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$':
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,-u
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003739000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLv{
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH1X
Source: new policy.scr.exe, 00000003.00000002.2835253359.000000000368F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,-k
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003536000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.000000000340A000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB^q
Source: airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.000000000269E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(B\|
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003566000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q("W
Source: new policy.scr.exe, 00000003.00000002.2835253359.00000000035E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT9`

Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Users\user\Desktop\new policy.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Users\user\Desktop\new policy.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\new policy.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Users\user\AppData\Roaming\Networks!.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Networks!.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\new policy.scr.exe

Code function: 3_2_07758C68 GetSystemTimes,

3_2_07758C68

Source: C:\Users\user\Desktop\new policy.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\new policy.scr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: airlineagancy.casacam.net 7076.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED

Remote Access Functionality

Detected Nanocore Rat

Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Class10gdelegate0_0gclass0_0gstruct0_0gclass1_0gclass2_0gclass3_0class9_0smethod_0type_0contextValue_0string_0ulong_0bool_0gparam_0cultureInfo_0lastInputInfo_0stringBuilder_0resourceManager_0timer_0uintptr_0memoryStatus_0object_0uint_0ushort_0iclientDataHost_0iclientNetworkHost_0iclientAppHost_0GDelegate0GClass0GStruct0Class11gdelegate0_1class1_1smethod_1string_1ulong_1bool_1cultureInfo_1intptr_1object_1uint_1Class1`1IEnumerable`1ContextValue`1IEnumerator`1List`1GClass1Class12Int32class1_2smethod_2ulong_2intptr_2int_2KeyValuePair`2Dictionary`2GClass2Class13class1_3smethod_3GClass3Class14smethod_4Class4Class15method_5Class5Class16method_6Class6Class17method_7Class7Class18method_8Class8Class19method_9Class9<Module>System.IOTvalue__GetFirstRunDataProjectDatamscorlibSystem.Collections.GenericMicrosoft.VisualBasicGetWindowThreadProcessIdGetProcessByIdAddConnectionStateChangedConnectionFailedPipeClosedPipeCreatedget_BytesReceivedSynchronizedCoreCommandSystemCommandConnectionCommandRoundGetMethodmethodNetworkInterfaceStackTraceCreateInstancedefaultInstanceDivideGetHashCodeget_UnicodeAddRangeChangeBuildingHostCacheEndInvokeBeginInvokeIDisposableRuntimeMethodHandleGetModuleHandleRuntimeTypeHandleGetTypeFromHandleGetProcessHandleToSingleAvailablePageFileTotalPageFileset_WindowStyleProcessWindowStyleget_NameGetApplicationExecutableNameGetClientExecutableNameGetRandomFileNameGetFileNameget_FullNameget_ProcessNameGetNameAssemblyNameGetApplicationFriendlyNameGetClientFriendlyNameStackFrameGetFrameDateTimeOneCombineCommandTypeCheckForSyncLockOnValueTypeget_DeclaringTypeNanoCoreMethodBaseApplicationBaseApplicationSettingsBaseDisposeUpdateMulticastDelegateEditorBrowsableStateCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeStandardModuleAttributeHideModuleNameAttributeAssemblyTrademarkAttributeDebuggerHiddenAttributeAssemblyFileVersionAttributeMyGroupCollectionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeCLSCompliantAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteget_Valueset_ValueLookupPrivilegeValueGetObjectValueGetValueMoveRemoveget_SizeInitializeSizeOfSystem.ThreadingEncodingToStringMathget_ExecutablePathGetTempPathobjAsyncCallbackTimerCallbackcallbackIClientNetworkTotalPhysicalAvailablePhsyicalMarshalDecimalMicrosoft.VisualBasic.MyServices.InternalAvailableVirtualTotalVirtualAvailableExVirtualSystem.ComponentModelHandleConnectionCommandUninstalladvapi32.dllkernel32.dlluser32.dllCoreClientPlugin.dllObjectFlowControlget_Itemset_ItemSystemEnumBooleanget_MetadataTokenOpenProcessTokenGetPublicKeyTokenMinNanoCore.ClientPluginCoreClientPluginGetIsRunningAsAdminApplicationSystem.Net.NetworkInformationUnicastIPAddressInformationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionUnicastIPAddressInformationCollectionIClientNameObject
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: Class10gdelegate0_0gclass0_0gstruct0_0gclass1_0gclass2_0gclass3_0class9_0smethod_0type_0contextValue_0string_0ulong_0bool_0gparam_0cultureInfo_0lastInputInfo_0stringBuilder_0resourceManager_0timer_0uintptr_0memoryStatus_0object_0uint_0ushort_0iclientDataHost_0iclientNetworkHost_0iclientAppHost_0GDelegate0GClass0GStruct0Class11gdelegate0_1class1_1smethod_1string_1ulong_1bool_1cultureInfo_1intptr_1object_1uint_1Class1`1IEnumerable`1ContextValue`1IEnumerator`1List`1GClass1Class12Int32class1_2smethod_2ulong_2intptr_2int_2KeyValuePair`2Dictionary`2GClass2Class13class1_3smethod_3GClass3Class14smethod_4Class4Class15method_5Class5Class16method_6Class6Class17method_7Class7Class18method_8Class8Class19method_9Class9<Module>System.IOTvalue__GetFirstRunDataProjectDatamscorlibSystem.Collections.GenericMicrosoft.VisualBasicGetWindowThreadProcessIdGetProcessByIdAddConnectionStateChangedConnectionFailedPipeClosedPipeCreatedget_BytesReceivedSynchronizedCoreCommandSystemCommandConnectionCommandRoundGetMethodmethodNetworkInterfaceStackTraceCreateInstancedefaultInstanceDivideGetHashCodeget_UnicodeAddRangeChangeBuildingHostCacheEndInvokeBeginInvokeIDisposableRuntimeMethodHandleGetModuleHandleRuntimeTypeHandleGetTypeFromHandleGetProcessHandleToSingleAvailablePageFileTotalPageFileset_WindowStyleProcessWindowStyleget_NameGetApplicationExecutableNameGetClientExecutableNameGetRandomFileNameGetFileNameget_FullNameget_ProcessNameGetNameAssemblyNameGetApplicationFriendlyNameGetClientFriendlyNameStackFrameGetFrameDateTimeOneCombineCommandTypeCheckForSyncLockOnValueTypeget_DeclaringTypeNanoCoreMethodBaseApplicationBaseApplicationSettingsBaseDisposeUpdateMulticastDelegateEditorBrowsableStateCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeStandardModuleAttributeHideModuleNameAttributeAssemblyTrademarkAttributeDebuggerHiddenAttributeAssemblyFileVersionAttributeMyGroupCollectionAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeCLSCompliantAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteget_Valueset_ValueLookupPrivilegeValueGetObjectValueGetValueMoveRemoveget_SizeInitializeSizeOfSystem.ThreadingEncodingToStringMathget_ExecutablePathGetTempPathobjAsyncCallbackTimerCallbackcallbackIClientNetworkTotalPhysicalAvailablePhsyicalMarshalDecimalMicrosoft.VisualBasic.MyServices.InternalAvailableVirtualTotalVirtualAvailableExVirtualSystem.ComponentModelHandleConnectionCommandUninstalladvapi32.dllkernel32.dlluser32.dllCoreClientPlugin.dllObjectFlowControlget_Itemset_ItemSystemEnumBooleanget_MetadataTokenOpenProcessTokenGetPublicKeyTokenMinNanoCore.ClientPluginCoreClientPluginGetIsRunningAsAdminApplicationSystem.Net.NetworkInformationUnicastIPAddressInformationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionUnicastIPAddressInformationCollectionIClientNameObject
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: new policy.scr.exe, 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: new policy.scr.exe, 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: new policy.scr.exe, 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: new policy.scr.exe, 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: new policy.scr.exe, 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Networks!.exe, 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Networks!.exe, 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Networks!.exe, 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHost

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.new policy.scr.exe.59e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.37445bd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373b15e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.275a4e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.59e0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.42c7788.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Networks!.exe.373ff94.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Networks!.exe.60b5958.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.new policy.scr.exe.3255830.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 8108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Networks!.exe PID: 5868, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.airlineagancy.casacam.net 7076.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.new policy.scr.exe.3252f80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: new policy.scr.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: airlineagancy.casacam.net 7076.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	112 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	311 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
new policy.scr.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
new policy.scr.exe	56%	Virustotal		Browse
new policy.scr.exe	100%	Avira	HEUR/AGEN.1323683
new policy.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\Networks!.exe	100%	Avira	HEUR/AGEN.1323683
C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Networks!.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Networks!.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
C:\Users\user\AppData\Roaming\Networks!.exe	56%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
jacksonnnn233.theworkpc.com	2%	Virustotal	Browse
airlineagancy.casacam.net	1%	Virustotal	Browse
56.126.166.20.in-addr.arpa	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
jacksonnnn233.theworkpc.com	0%	Avira URL Cloud	safe
http://google.com	0%	Avira URL Cloud	safe
airlineagancy.casacam.net	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
jacksonnnn233.theworkpc.com	2%	Virustotal		Browse
airlineagancy.casacam.net	1%	Virustotal		Browse
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
http://google.com	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jacksonnnn233.theworkpc.com	78.159.112.29	true	true	2%, Virustotal, Browse	unknown
airlineagancy.casacam.net	78.159.112.29	true	true	1%, Virustotal, Browse	unknown
56.126.166.20.in-addr.arpa	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true		unknown
jacksonnnn233.theworkpc.com	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
airlineagancy.casacam.net	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.0000000002986000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Networks!.exe, 00000006.00000002.2232333043.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2324492421.00000000047C7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://google.com	new policy.scr.exe, 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	new policy.scr.exe, 00000000.00000002.1869683888.0000000003260000.00000004.00000800.00020000.00000000.sdmp, airlineagancy.casacam.net 7076.exe, 00000002.00000002.4094137301.0000000002511000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000006.00000002.2215379715.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, Networks!.exe, 00000007.00000002.2303284343.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/11564914/23354;	new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	new policy.scr.exe, 00000000.00000002.1877031081.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, new policy.scr.exe, 00000000.00000002.1885309360.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.159.112.29	jacksonnnn233.theworkpc.com	Germany		28753	LEASEWEB-DE-FRA-10DE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502158
Start date and time:	2024-08-31 09:51:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	new policy.scr.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/9@19/1
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 87% Number of executed functions: 533 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target airlineagancy.casacam.net 7076.exe, PID 7764 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:52:17	API Interceptor	126524x Sleep call for process: new policy.scr.exe modified
03:52:25	API Interceptor	13181923x Sleep call for process: airlineagancy.casacam.net 7076.exe modified
08:52:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Networks! C:\Users\user\AppData\Roaming\Networks!.exe
08:52:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Networks! C:\Users\user\AppData\Roaming\Networks!.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
78.159.112.29	Accelya NDC SPRK.scr.exe	Get hash	malicious	Nanocore	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-DE-FRA-10DE	Accelya NDC SPRK.scr.exe	Get hash	malicious	Nanocore	Browse	78.159.112.29
	http://tradingbotsreviews.com	Get hash	malicious	Unknown	Browse	217.20.112.104
	warmcookie.bin.dll	Get hash	malicious	Unknown	Browse	185.49.69.41
	https://auth-start-treizor.github.io/	Get hash	malicious	Unknown	Browse	217.20.112.104
	Endermanch@SecurityDefender.exe	Get hash	malicious	Bdaejec	Browse	78.159.97.210
	counter.exe	Get hash	malicious	Bdaejec	Browse	37.1.197.107
	https://amour-adventure.com/wdMpjN?x=ZGF2ZXByb3NlZWRAZ29uZHRjLmNvbQ==&y=z241147_947	Get hash	malicious	Unknown	Browse	178.162.199.80
	th7ywlKawL.exe	Get hash	malicious	Remcos	Browse	78.159.112.21
	Mille raisons de venir.scr.exe	Get hash	malicious	Nanocore, HVNC	Browse	78.159.112.21
	92.249.48.47-skid.sh4-2024-07-20T09_04_17.elf	Get hash	malicious	Mirai, Moobot	Browse	212.95.52.206

Process:	C:\Users\user\AppData\Roaming\Networks!.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33280
Entropy (8bit):	5.5954216145255655
Encrypted:	false
SSDEEP:	768:oRPD9OQhx/BV3Tw4flzVFE9jCkOjhFba:od9OW/V3U4fnFE9jCkOjnG
MD5:	85992141E0054144793B0767444AA3E0
SHA1:	8DB16CF0596AA7B0794BF38397E8876F9CD7AC4D
SHA-256:	62138A28BE6583227C33E709D31064416B7009A8A66830229AA509832706FE42
SHA-512:	F0BF5714197B30DBD03C385B4E560695D5EA9FC18C268354C077F846701106E8D530A65C1A89B1096AA7F45232AC771603C58077BD2B603FB637F357BEDB4C6E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................x............... ........@.. ....................................@.................................D...W.................................................................................... ............... ..H............text....w... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H.......,O...H............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:kz:kz
MD5:	D0FE400B78FCCFCF5716B4C1300F0B6D
SHA1:	3A9E1867C86317F65A617DA51341D1BCBD098B6B
SHA-256:	DC03C95366A7E598CF817C715D1F7D1D9E67F498915A51273C066A2F03F7136A
SHA-512:	7A007D13C744E30D8358CB766758525BDDFB4A9240429AFBD61A9A25AEEFC1011904A5ABC24EB3CD76D1B8A8CAD5624138444E9AA68E96E04297729439114DD2
Malicious:	true
Reputation:	low
Preview:	.7....H

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\settings.bak

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\settings.bin

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\storage.dat

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	312480
Entropy (8bit):	7.99946695108875
Encrypted:	true
SSDEEP:	6144:2WYGDIDE+GJclEi5KjQpbL17IzzKJxw2mEhmTvpyD0i:+kIQ+EcFKjObdIA3mEhuvpyDd
MD5:	34CC720BAB9A243A96B008251C4541CA
SHA1:	B275C34B63ECA934EE8DD536B18D753203FC171A
SHA-256:	A63EAF4AE6032C446FDBABB4753851121BB6C03A1CF11749962BF501FF70DEB2
SHA-512:	FC4310B2A4478D04F82A3A1B8C4370442222B8F95EE2AD005FA9F0A638A85EE7E53F00B69027F0338A5A5AC9E42E4C6A5E33716115855567367E2E71D13346E4
Malicious:	false
Preview:	.<.#..!.nt.........I..N#....sb.....Q..O.v.qS.......AK.0.....7].S..K.\|`k......~a..,8..y.C+.3.Z......;LZ.............y.QR..V..-.{".G.....g..]...R<]C`....Fak..{.....?.ViXd.....@k(Z.D...\..c...j.l5){HT....3.....Z...L.}).sH....m.H..._.)...w.@F.X,l......h.....K.S..... ..zi...{.:..y-.....Q.........E..~9......n`ts..Tt.@..x5..$.zv..1..n)...M..)...,`.... ....`....._.....8=y...Ry...r0J.9.....]$..,<.F;..B>..(....,\..{.....{...A..u.......Q.a..$..<..bP. xo.h...[.Y.ng...:.2..r.>......_..h.O:#c.Z.$..\.j......Sb..8.......X...y.(.......W(...v....1"@N!A.8...d.RV..FmyYj.2....g.R..gaA."d..A....B2!.5./...u...c.cw..".p&5.A...%.........B.?3C......z.tKv....=\|.c.....h..\2_....H.{[K..$...4.... .l..Q.=...e..2Y..]..:..>.....c]....q.+G..'.J.....~...$1..R..{..D...5.y$..^...!(..C.0.<(..N...\....FGEi....X.oX.@W....(..-..@.......D.{._p...\.6..zv...n$f:.....e...p..:&..8$ ./k....>Sd......L,P.*<.c....ZK8C.B../'......O........Vz._0$......OZ

C:\Users\user\AppData\Roaming\Networks!.exe

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2360320
Entropy (8bit):	4.2077914013848465
Encrypted:	false
SSDEEP:	24576:RGvPRpFuolzFPJ+l3Drhea534ESvFpLa35sfp+ee:
MD5:	01E7E40055D24780359493DECF90AC21
SHA1:	B59B66A3AF3A9920B7DE22975997A1EC1E4D5528
SHA-256:	3A5134CC11C7C47B7268E7BF6BF1556C5FF5044AF54B7931CAE652BFD8D83717
SHA-512:	D6069F19CB7ACAFE771ABD095AC9DE17767F31DAD21951488DD91B56EEC65674033E7AAD25D038A4F1CD067E1E7FE91F1E8D9BFCF75C593209BEFE876AC9FFC1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55% Antivirus: Virustotal, Detection: 56%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................."...........#.. ... #...@.. .......................`$...........`...................................#.K.... #.d....................@$...................................................... ............... ..H............text.....".. ...."................. ..`.rsrc...d.... #.......".............@..@.reloc.......@$.......$.............@..B..................#.....H........G...6...........}...".............................................(.......(.....s....(......{.....0..K....... ........8........E............8......}.... ....~S...{0...9....& ....8......0...........(.... ....~S...{p...9....& ....8....8........E.... .......K...8.......s....(.... ........8....s....(...... ....~S...{....:....& ....8....*..0.......... ........8........E......../...+...;...................8............... ....~S...{@...:....& ....8......... .......o

C:\Users\user\AppData\Roaming\Networks!.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\new policy.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.2077914013848465
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	new policy.scr.exe
File size:	2'360'320 bytes
MD5:	01e7e40055d24780359493decf90ac21
SHA1:	b59b66a3af3a9920b7de22975997a1ec1e4d5528
SHA256:	3a5134cc11c7c47b7268e7bf6bf1556c5ff5044af54b7931cae652bfd8d83717
SHA512:	d6069f19cb7acafe771abd095ac9de17767f31dad21951488dd91b56eec65674033e7aad25d038a4f1cd067e1e7fe91f1e8d9bfcf75c593209befe876ac9ffc1
SSDEEP:	24576:RGvPRpFuolzFPJ+l3Drhea534ESvFpLa35sfp+ee:
TLSH:	70B57DE4D46A48C1F8179DB05C3BBAC20E3237F3C9D50468272D7A48CFBB9997549E4A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................."...........#.. ... #...@.. .......................`$...........`................................

File Icon


Icon Hash:	32ed8e8e8ca8acb2

Static PE Info

General

Entrypoint:	0x630ede
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CFBED6 [Thu Aug 29 00:20:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x230e90	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x232000	0x10e64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x244000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x22eee4	0x22f000	01c97e30088ab9d738a5f239b8eb4d41	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x232000	0x10e64	0x11000	65fb793b6106bbea1497e49dfd632335	False	0.05280618106617647	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 2.000000, slope 2.014302	3.741046637865551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x244000	0xc	0x200	25f7194bc7f7ab553d126e3d19fe202f	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x232130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.04304684727315746
RT_GROUP_ICON	0x242958	0x14	data	1.15
RT_VERSION	0x24296c	0x30c	data	0.42435897435897435
RT_MANIFEST	0x242c78	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-31T09:52:51.945139+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53338	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:51.945139+0200	TCP	2816718	ETPRO MALWARE NanoCore RAT Keep-Alive Beacon	1	53338	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:51.945139+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53338	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:52.225710+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53338	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:10.373760+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53341	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:47.258163+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53349	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:04.358576+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53340	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:26.186842+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	49736	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:26.186842+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	49736	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:33.570041+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	49738	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:33.570041+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	49738	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:32.391052+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	49738	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:10.085937+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53341	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:10.085937+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53341	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:32.583546+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	49738	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:32.583546+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	49738	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:45.898179+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53337	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:45.898179+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53337	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:37.309593+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53347	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:51.647127+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53350	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:39.007469+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	49739	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:40.488029+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	49739	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:56.975054+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53339	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:15.115651+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53343	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:09.084125+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53341	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:40.248701+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	49737	7076	192.168.2.4	78.159.112.29
2024-08-31T09:52:58.248252+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53339	65535	192.168.2.4	78.159.112.29
2024-08-31T09:54:31.726853+0200	TCP	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	49737	7076	192.168.2.4	78.159.112.29
2024-08-31T09:53:21.268246+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53344	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:18.308341+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	49732	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:09.089003+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53341	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:09.089003+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53341	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:33.707425+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	49738	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:45.043283+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53337	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:42.181451+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53348	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:22.732899+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53344	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:57.992081+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53339	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:57.992081+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53339	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:27.296509+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53345	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:50.934010+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53338	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:50.934010+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53338	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:16.431919+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53343	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:50.927566+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53338	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:03.039239+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53340	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:22.567721+0200	TCP	2046909	ET MALWARE NanoCore RAT Keepalive Response 1	1	65535	53344	78.159.112.29	192.168.2.4
2024-08-31T09:52:25.215778+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	49736	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:42.226462+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53348	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:42.226462+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53348	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:27.203037+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	49736	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:27.203037+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	49736	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:04.054663+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53340	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:04.054663+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53340	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:20.056405+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	49732	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:20.056405+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	49732	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:26.924955+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	49736	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:46.335004+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53337	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:16.085785+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53343	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:16.085785+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53343	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:56.991962+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53339	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:56.991962+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53339	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:32.160686+0200	TCP	2025019	ET MALWARE Possible NanoCore C2 60B	1	53346	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:19.054786+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	49732	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:19.054786+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	49732	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:39.835725+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	49739	65535	192.168.2.4	78.159.112.29
2024-08-31T09:52:39.835725+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	49739	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:22.088477+0200	TCP	2046914	ET MALWARE NanoCore RAT CnC 7	1	53344	65535	192.168.2.4	78.159.112.29
2024-08-31T09:53:22.088477+0200	TCP	2822326	ETPRO MALWARE NanoCore RAT CnC 19	1	53344	65535	192.168.2.4	78.159.112.29

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 09:52:18.295720100 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:18.300559044 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:18.300625086 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:18.308341026 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:18.313113928 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:18.936306953 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:18.939028025 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:18.943829060 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.054785967 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.069145918 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.122736931 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.129440069 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.134222031 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.446891069 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.446906090 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.446916103 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.446924925 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.446934938 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.446943998 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.446964025 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.447014093 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.539098978 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539113045 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539123058 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539132118 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539143085 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539269924 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.539269924 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.539477110 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539493084 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539504051 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539515018 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539525032 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.539526939 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.539556026 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.539580107 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.631566048 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631589890 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631602049 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631612062 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631623983 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631649017 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.631767035 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631778002 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631788015 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631798029 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631808996 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.631809950 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.631818056 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.631838083 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.631860971 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.632628918 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.632639885 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.632651091 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.632675886 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.632677078 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.632723093 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.718070984 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724169016 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724179983 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724189997 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724244118 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.724297047 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724308014 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724344015 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.724653959 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724663973 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724673033 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724705935 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.724853992 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.724895954 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.725063086 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.725073099 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.725121021 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.725193024 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.725202084 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.725213051 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.725244045 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.725931883 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.725941896 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.725980043 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.726062059 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.726073027 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.726083040 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.726093054 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.726095915 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.726121902 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.772910118 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.803436995 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815681934 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815692902 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815725088 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815743923 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.815778017 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.815809965 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815819979 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815829992 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815839052 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815850019 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.815851927 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.815886974 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.816700935 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.816711903 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.816720009 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.816735029 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.816740036 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.816745996 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.816760063 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.816761017 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.816787004 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.817615986 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.817648888 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.817660093 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.817686081 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.817702055 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.817706108 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.817713022 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.817727089 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.817743063 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.818706036 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.818826914 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.818836927 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.818893909 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.818921089 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.818931103 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.818938971 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.818973064 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.819494963 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.819504023 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.819511890 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.819521904 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.819539070 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.819567919 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.907711029 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.907725096 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.907736063 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.907788038 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.907819033 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.907835960 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.907845974 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.907963991 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.907963991 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.908235073 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.908245087 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.908255100 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.908273935 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.908282042 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.908284903 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.908294916 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.908322096 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.908353090 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.909339905 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.909352064 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.909389019 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.909480095 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.909491062 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.909499884 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.909512043 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.909522057 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.909569025 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.910131931 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.910142899 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.910152912 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.910177946 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.910185099 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.910196066 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.910206079 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.910223007 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.910257101 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.911079884 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.911092043 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.911102057 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.911112070 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.911122084 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.911123037 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.911134005 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.911153078 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.911181927 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.912050009 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912060976 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912071943 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912106991 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.912201881 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912213087 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912224054 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912245989 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.912262917 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.912863016 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912873983 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912884951 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912895918 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:19.912914038 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:19.912944078 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.000422955 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000437021 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000447989 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000461102 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000472069 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000488997 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000493050 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.000499964 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000511885 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000526905 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.000541925 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000544071 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.000552893 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000562906 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000574112 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000585079 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.000598907 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.000617027 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001508951 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001521111 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001530886 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001543045 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001554012 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001564026 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001574039 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001574993 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001583099 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001588106 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001599073 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001604080 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001616001 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001647949 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001828909 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001840115 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001857042 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001866102 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001869917 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001883984 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001894951 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001904964 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001909971 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001915932 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001923084 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.001928091 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.001952887 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.002743959 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002782106 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.002929926 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002940893 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002949953 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002959013 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002969027 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002973080 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.002979040 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002990007 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.002991915 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.003016949 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.003076077 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.003086090 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.003096104 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.003122091 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.003139019 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.004180908 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004192114 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004201889 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004216909 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004226923 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004228115 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.004237890 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004250050 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.004275084 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.004375935 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004385948 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004396915 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004406929 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004419088 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.004420996 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004443884 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.004528999 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.004566908 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.056405067 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.061399937 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164307117 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164328098 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164338112 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164347887 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164383888 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164392948 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164402962 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164407015 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.164413929 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164441109 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.164450884 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.164515018 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164525032 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164534092 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164560080 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.164581060 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164592028 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164617062 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.164846897 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164882898 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.164891005 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164901018 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164920092 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164930105 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164932013 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.164938927 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.164958000 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165087938 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165103912 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165112972 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165143013 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165164948 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165184975 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165194035 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165201902 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165213108 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165226936 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165252924 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165513039 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165523052 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165530920 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165565014 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165606976 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165616989 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165625095 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165633917 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165646076 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165657997 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.165910006 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165955067 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165965080 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.165991068 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166007996 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166102886 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166114092 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166122913 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166137934 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166148901 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166150093 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166160107 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166169882 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166176081 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166184902 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166193008 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166196108 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166203976 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166217089 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166220903 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166225910 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166238070 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166243076 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166268110 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166856050 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166866064 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166874886 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166893959 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166915894 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.166934967 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166944981 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166954041 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166965008 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.166980028 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.167000055 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.167001009 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.167009115 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.167054892 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.169326067 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169339895 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169348955 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169358015 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169367075 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169378996 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.169411898 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.169440031 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169476986 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.169481993 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169491053 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169548988 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169559002 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169569016 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169578075 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169584036 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.169589043 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.169605017 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.169615984 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.215240955 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.256864071 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256885052 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256894112 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256906033 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256916046 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256926060 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256941080 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256951094 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256961107 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256969929 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256975889 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256980896 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256989956 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.256989002 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257005930 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257015944 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257025003 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257036924 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257046938 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257062912 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257087946 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257157087 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257191896 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257200956 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257239103 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257261992 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257272005 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257280111 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257291079 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257309914 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257318974 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257334948 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257344007 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257353067 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257368088 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257375956 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257379055 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257401943 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257410049 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257514954 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257525921 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257534027 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257544994 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257549047 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257555962 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257576942 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257631063 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257642984 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257652044 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257662058 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257673025 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257673025 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257692099 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257725000 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257774115 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257812977 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257822037 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257848978 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257867098 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257877111 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257886887 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:20.257904053 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.257920027 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.975328922 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:20.980074883 CEST	65535	49732	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:21.072660923 CEST	49732	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.210504055 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.215338945 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:25.215403080 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.215778112 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.220608950 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:25.716183901 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.721143007 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:25.721235037 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.853298903 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:25.853488922 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.858282089 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:25.891506910 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:25.896406889 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.038717031 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.041868925 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.046674013 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.186841965 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.191704035 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.360539913 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.413562059 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.490448952 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.538568974 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.769747019 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.774693966 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.776438951 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.781282902 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.781354904 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.786173105 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:26.924954891 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:26.930969954 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:27.106193066 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:27.108320951 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:27.113650084 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:27.197735071 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:27.198230982 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:27.202986002 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:27.203037024 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:27.207832098 CEST	65535	49736	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:28.200943947 CEST	49736	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:32.378439903 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:32.383424044 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:32.383533955 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:32.391052008 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:32.395906925 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:32.583545923 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:32.588649988 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.039383888 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.039551020 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:33.044374943 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.223654985 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.226500988 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:33.232192993 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.548161983 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.570040941 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:33.575081110 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.575737953 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:33.580549955 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.695719957 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.696146011 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:33.701096058 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.701155901 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:33.705981970 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.707425117 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:33.712251902 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.880212069 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:33.929219961 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:34.011897087 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:34.054263115 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:34.531400919 CEST	65535	49738	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:34.585467100 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:34.586519957 CEST	49738	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:39.002185106 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:39.007024050 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:39.007112026 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:39.007468939 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:39.012197018 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:39.658149004 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:39.658576012 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:39.663412094 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:39.835725069 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:39.840540886 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:39.841965914 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:39.845040083 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:39.891669989 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.248701096 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.253528118 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.346849918 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.383168936 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.387995005 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.433223963 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.476139069 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.477128983 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.477654934 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.482428074 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.482479095 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.487256050 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.488029003 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.495934010 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.715444088 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.757373095 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.851408958 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:40.855169058 CEST	65535	49739	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:40.855247021 CEST	49739	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:45.038146019 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:45.042943001 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:45.043008089 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:45.043282986 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:45.048019886 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:45.675018072 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:45.675266981 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:45.680064917 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:45.859249115 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:45.861777067 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:45.866585970 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:45.898179054 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:45.902951956 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.173114061 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.202903986 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:46.207695007 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.294456959 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.294866085 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:46.299642086 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.299699068 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:46.304425001 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.335004091 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:46.339823008 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.528786898 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.569936991 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:46.664597988 CEST	65535	53337	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:46.710566044 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:46.898282051 CEST	53337	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:50.922414064 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:50.927202940 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:50.927272081 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:50.927566051 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:50.933954000 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:50.934010029 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:50.938762903 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:51.564486027 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:51.564683914 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:51.569423914 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:51.748286963 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:51.751563072 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:51.756382942 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:51.945138931 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:51.950026035 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.063380957 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.116785049 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.190634012 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.203464031 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.208621025 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.208677053 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.213495016 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.215959072 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.220809937 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.225709915 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.230457067 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.428652048 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.476164103 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.528836966 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.569906950 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.667411089 CEST	65535	53338	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:52.710530996 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:52.955326080 CEST	53338	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:54.601869106 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:54.606718063 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:54.787331104 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:54.835532904 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:56.969892979 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:56.974716902 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:56.974795103 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:56.975054026 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:56.979836941 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:56.991961956 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:56.996803045 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:57.617083073 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:57.617244005 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:57.621987104 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:57.800229073 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:57.802867889 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:57.807630062 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:57.992080927 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:57.996925116 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.115947962 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.142990112 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:58.147797108 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.236548901 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.236912012 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:58.241672039 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.241750956 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:58.246541023 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.248251915 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:58.253030062 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.464989901 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.507448912 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:58.602639914 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.648062944 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:58.892152071 CEST	65535	53339	78.159.112.29	192.168.2.4
Aug 31, 2024 09:52:58.944931984 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:52:59.007618904 CEST	53339	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:03.032804012 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:03.038881063 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:03.038948059 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:03.039238930 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:03.044104099 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:03.705502033 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:03.705724001 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:03.710656881 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:03.896450043 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:03.898984909 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:03.903755903 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.054662943 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:04.059636116 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.225408077 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.247981071 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:04.252744913 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.345386982 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.346951962 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:04.351677895 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.351751089 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:04.356584072 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.358576059 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:04.363380909 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.582112074 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.632451057 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:04.720169067 CEST	65535	53340	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:04.773097038 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:05.057404041 CEST	53340	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:08.960829020 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:08.965795994 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.079003096 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:09.083771944 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.083853006 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:09.084125042 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:09.088958025 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.089003086 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:09.093759060 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.143172979 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.194993973 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:09.716094971 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.716301918 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:09.721149921 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.908010960 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:09.911154985 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:09.916009903 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.085937023 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:10.090816021 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.241785049 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.272133112 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:10.276932001 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.363217115 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.363605022 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:10.368632078 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.368707895 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:10.373687983 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.373759985 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:10.378652096 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.606817007 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.648092985 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:10.744741917 CEST	65535	53341	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:10.788712978 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:11.085845947 CEST	53341	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:15.110481977 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:15.115279913 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:15.115346909 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:15.115650892 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:15.120394945 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:15.765471935 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:15.783642054 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:15.788597107 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:15.969280005 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:15.971913099 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:15.976680994 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.085784912 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:16.090646029 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.286412001 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.314551115 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:16.319345951 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.410149097 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.410656929 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:16.415465117 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.415539026 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:16.420370102 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.431919098 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:16.436712027 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.623951912 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.679361105 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:16.760422945 CEST	65535	53343	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:16.804398060 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:17.085793018 CEST	53343	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:21.260304928 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:21.267318010 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:21.267891884 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:21.268245935 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:21.273025990 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:21.922303915 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:21.922621965 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:21.927625895 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.088476896 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:22.093346119 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.111291885 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.124924898 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:22.171658039 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.558819056 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.567720890 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.594804049 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:22.599569082 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.616894960 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:22.700059891 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.704977989 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:22.709748983 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.709822893 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:22.714709044 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.732898951 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:22.739748955 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.939995050 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:22.991906881 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:23.076085091 CEST	65535	53344	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:23.101496935 CEST	53344	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:23.320544958 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:23.325331926 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:23.506921053 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:23.554393053 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:27.291125059 CEST	53345	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:27.296082020 CEST	65535	53345	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:27.296139956 CEST	53345	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:27.296509027 CEST	53345	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:27.301296949 CEST	65535	53345	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:27.928344965 CEST	65535	53345	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:27.928549051 CEST	53345	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:27.933737040 CEST	65535	53345	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:28.112282991 CEST	65535	53345	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:28.117340088 CEST	53345	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:29.305171013 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:29.310151100 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:29.489737988 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:29.538772106 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:32.149652004 CEST	53346	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:32.154474974 CEST	65535	53346	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:32.160686016 CEST	53346	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:32.160686016 CEST	53346	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:32.165425062 CEST	65535	53346	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:32.797415018 CEST	65535	53346	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:32.805650949 CEST	53346	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:32.810563087 CEST	65535	53346	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:32.989705086 CEST	65535	53346	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:33.014484882 CEST	53346	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:33.019272089 CEST	65535	53346	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:33.132658005 CEST	53346	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:37.303704023 CEST	53347	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:37.309113026 CEST	65535	53347	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:37.309169054 CEST	53347	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:37.309592962 CEST	53347	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:37.314452887 CEST	65535	53347	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:37.970892906 CEST	65535	53347	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:37.980782032 CEST	53347	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:37.985707998 CEST	65535	53347	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:38.152574062 CEST	53347	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:38.335891962 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:38.536612034 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:38.715931892 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:38.758644104 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:42.176156044 CEST	53348	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:42.181046963 CEST	65535	53348	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:42.181225061 CEST	53348	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:42.181451082 CEST	53348	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:42.186229944 CEST	65535	53348	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:42.226461887 CEST	53348	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:42.232521057 CEST	65535	53348	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:42.820636034 CEST	65535	53348	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:42.820846081 CEST	53348	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:42.825771093 CEST	65535	53348	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:43.005295038 CEST	65535	53348	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:43.021138906 CEST	53348	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:43.026145935 CEST	65535	53348	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:43.226828098 CEST	53348	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:46.055495024 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:46.060436010 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:46.238903999 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:46.288933039 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:46.639394999 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:46.644256115 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:46.824336052 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:46.867098093 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:47.252696991 CEST	53349	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:47.257721901 CEST	65535	53349	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:47.257783890 CEST	53349	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:47.258162975 CEST	53349	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:47.262933969 CEST	65535	53349	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:47.617110014 CEST	53349	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:51.641872883 CEST	53350	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:51.646713972 CEST	65535	53350	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:51.646770954 CEST	53350	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:51.647126913 CEST	53350	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:51.651935101 CEST	65535	53350	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:51.774868011 CEST	53350	65535	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:52.441687107 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:52.526694059 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:55.929841042 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:53:55.935877085 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:56.112382889 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:53:56.226363897 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:05.351692915 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:05.356543064 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:05.533961058 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:05.726417065 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:08.101659060 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:08.106570005 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:08.284149885 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:08.337385893 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:11.179956913 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:11.184855938 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:11.362464905 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:11.413913965 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.477072954 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.482028961 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.523536921 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.528340101 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.601710081 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.606540918 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.617327929 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.622294903 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.633023977 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.637768984 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.661955118 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.710808039 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.752512932 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.804557085 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.843082905 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:21.898308992 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:21.976443052 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:22.023319006 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:22.429976940 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:22.478761911 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:28.023581028 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:28.071927071 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:28.207813978 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:28.258786917 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:31.182801008 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:31.187817097 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:31.368927956 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:31.414012909 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:31.726852894 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:31.731889963 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:31.758014917 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:31.762806892 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:31.915277004 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:31.960957050 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:32.000063896 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:32.054603100 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:44.070688009 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:44.075721979 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:44.253707886 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:44.304642916 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:50.070552111 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:50.075488091 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:50.253385067 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:50.306849003 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:52.435691118 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:52.476558924 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:59.351835012 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:54:59.356760025 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:59.534565926 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:54:59.585942030 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:01.820652962 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:01.826035976 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:02.003832102 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:02.054722071 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:05.148660898 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:05.153547049 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:05.331584930 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:05.382824898 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:08.258138895 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:08.262963057 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:08.440885067 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:08.494904995 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:15.930744886 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:15.935635090 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:16.114200115 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:16.164148092 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:22.429325104 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:22.476985931 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:30.365000010 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:30.369884014 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:30.550437927 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:30.601701021 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.492613077 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.497591019 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.508223057 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.513290882 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.555023909 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.559909105 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.570647001 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.575453043 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.586321115 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.591165066 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.601928949 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.606829882 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.617501974 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.622396946 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.664473057 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.669325113 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.675507069 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.695646048 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.756067038 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.765970945 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.805054903 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.809886932 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.851897955 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.856698036 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.867574930 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.872412920 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.883112907 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.887881041 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.896858931 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.945632935 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:39.959300995 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:39.961261034 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:40.008346081 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:40.038901091 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:40.166600943 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:40.166678905 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:40.253318071 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:40.352998018 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:40.356996059 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:52.430850029 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:52.573029041 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:54.323435068 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:54.328589916 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:54.507071018 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:54.683024883 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:55.461396933 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:55.466404915 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:55.476990938 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:55.484859943 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:55.492625952 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:55.497427940 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:55.645296097 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:55.735094070 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:55.735146046 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:55.852155924 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:55.857065916 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:55.869587898 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:56.034908056 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:55:56.034955978 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:59.914634943 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:55:59.959903955 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:56:00.101447105 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:56:00.179877043 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:56:01.695789099 CEST	49737	7076	192.168.2.4	78.159.112.29
Aug 31, 2024 09:56:01.700748920 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:56:01.878799915 CEST	7076	49737	78.159.112.29	192.168.2.4
Aug 31, 2024 09:56:01.976875067 CEST	49737	7076	192.168.2.4	78.159.112.29

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 09:52:18.122430086 CEST	54978	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:52:18.289823055 CEST	53	54978	8.8.8.8	192.168.2.4
Aug 31, 2024 09:52:25.086874962 CEST	55409	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:52:25.209759951 CEST	53	55409	8.8.8.8	192.168.2.4
Aug 31, 2024 09:52:25.577610970 CEST	58913	53	192.168.2.4	1.1.1.1
Aug 31, 2024 09:52:25.703269958 CEST	53	58913	1.1.1.1	192.168.2.4
Aug 31, 2024 09:52:32.212369919 CEST	61680	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:52:32.371953964 CEST	53	61680	8.8.8.8	192.168.2.4
Aug 31, 2024 09:52:38.826383114 CEST	55575	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:52:38.989593983 CEST	53	55575	8.8.8.8	192.168.2.4
Aug 31, 2024 09:52:39.126861095 CEST	53	52027	162.159.36.2	192.168.2.4
Aug 31, 2024 09:52:39.611970901 CEST	57290	53	192.168.2.4	1.1.1.1
Aug 31, 2024 09:52:39.619112015 CEST	53	57290	1.1.1.1	192.168.2.4
Aug 31, 2024 09:52:44.869402885 CEST	61619	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:52:45.037497997 CEST	53	61619	8.8.8.8	192.168.2.4
Aug 31, 2024 09:52:50.915261984 CEST	53056	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:52:50.921895027 CEST	53	53056	8.8.8.8	192.168.2.4
Aug 31, 2024 09:52:56.962366104 CEST	61482	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:52:56.969266891 CEST	53	61482	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:03.024585009 CEST	51559	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:03.032295942 CEST	53	51559	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:09.071680069 CEST	61812	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:09.078522921 CEST	53	61812	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:15.103027105 CEST	65265	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:15.109904051 CEST	53	65265	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:21.103384018 CEST	52388	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:21.256489038 CEST	53	52388	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:27.118714094 CEST	51673	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:27.290493011 CEST	53	51673	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:32.134634972 CEST	60385	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:32.141691923 CEST	53	60385	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:37.153480053 CEST	59068	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:37.303102016 CEST	53	59068	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:42.168418884 CEST	55653	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:42.175571918 CEST	53	55653	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:47.244908094 CEST	58320	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:47.252072096 CEST	53	58320	8.8.8.8	192.168.2.4
Aug 31, 2024 09:53:51.634251118 CEST	50782	53	192.168.2.4	8.8.8.8
Aug 31, 2024 09:53:51.641166925 CEST	53	50782	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 31, 2024 09:52:18.122430086 CEST	192.168.2.4	8.8.8.8	0xd784	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:25.086874962 CEST	192.168.2.4	8.8.8.8	0xec5e	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:25.577610970 CEST	192.168.2.4	1.1.1.1	0xe9ba	Standard query (0)	airlineagancy.casacam.net	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:32.212369919 CEST	192.168.2.4	8.8.8.8	0x6662	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:38.826383114 CEST	192.168.2.4	8.8.8.8	0xbf7b	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:39.611970901 CEST	192.168.2.4	1.1.1.1	0x4494	Standard query (0)	56.126.166.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Aug 31, 2024 09:52:44.869402885 CEST	192.168.2.4	8.8.8.8	0x5c33	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:50.915261984 CEST	192.168.2.4	8.8.8.8	0x5590	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:56.962366104 CEST	192.168.2.4	8.8.8.8	0xd463	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:03.024585009 CEST	192.168.2.4	8.8.8.8	0xe028	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:09.071680069 CEST	192.168.2.4	8.8.8.8	0x179	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:15.103027105 CEST	192.168.2.4	8.8.8.8	0xe914	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:21.103384018 CEST	192.168.2.4	8.8.8.8	0x465a	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:27.118714094 CEST	192.168.2.4	8.8.8.8	0x9986	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:32.134634972 CEST	192.168.2.4	8.8.8.8	0xdc2b	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:37.153480053 CEST	192.168.2.4	8.8.8.8	0x7d46	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:42.168418884 CEST	192.168.2.4	8.8.8.8	0xdde1	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:47.244908094 CEST	192.168.2.4	8.8.8.8	0xac5a	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:51.634251118 CEST	192.168.2.4	8.8.8.8	0x243d	Standard query (0)	jacksonnnn233.theworkpc.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 31, 2024 09:52:18.289823055 CEST	8.8.8.8	192.168.2.4	0xd784	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:25.209759951 CEST	8.8.8.8	192.168.2.4	0xec5e	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:25.703269958 CEST	1.1.1.1	192.168.2.4	0xe9ba	No error (0)	airlineagancy.casacam.net		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:32.371953964 CEST	8.8.8.8	192.168.2.4	0x6662	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:38.989593983 CEST	8.8.8.8	192.168.2.4	0xbf7b	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:39.619112015 CEST	1.1.1.1	192.168.2.4	0x4494	Name error (3)	56.126.166.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Aug 31, 2024 09:52:45.037497997 CEST	8.8.8.8	192.168.2.4	0x5c33	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:50.921895027 CEST	8.8.8.8	192.168.2.4	0x5590	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:52:56.969266891 CEST	8.8.8.8	192.168.2.4	0xd463	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:03.032295942 CEST	8.8.8.8	192.168.2.4	0xe028	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:09.078522921 CEST	8.8.8.8	192.168.2.4	0x179	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:15.109904051 CEST	8.8.8.8	192.168.2.4	0xe914	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:21.256489038 CEST	8.8.8.8	192.168.2.4	0x465a	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:27.290493011 CEST	8.8.8.8	192.168.2.4	0x9986	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:32.141691923 CEST	8.8.8.8	192.168.2.4	0xdc2b	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:37.303102016 CEST	8.8.8.8	192.168.2.4	0x7d46	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:42.175571918 CEST	8.8.8.8	192.168.2.4	0xdde1	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:47.252072096 CEST	8.8.8.8	192.168.2.4	0xac5a	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false
Aug 31, 2024 09:53:51.641166925 CEST	8.8.8.8	192.168.2.4	0x243d	No error (0)	jacksonnnn233.theworkpc.com		78.159.112.29	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:51:54
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\new policy.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\new policy.scr.exe"
Imagebase:	0x760000
File size:	2'360'320 bytes
MD5 hash:	01E7E40055D24780359493DECF90AC21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000002.1877031081.000000000428C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1884977634.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1869683888.000000000322A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1869683888.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1877031081.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000002.1877031081.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:52:15
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe"
Imagebase:	0x280000
File size:	33'280 bytes
MD5 hash:	85992141E0054144793B0767444AA3E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1859765201.0000000000282000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:52:16
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\new policy.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\new policy.scr.exe"
Imagebase:	0xc40000
File size:	2'360'320 bytes
MD5 hash:	01E7E40055D24780359493DECF90AC21
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2867271024.0000000007760000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2867912424.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.2852023359.00000000044EE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2868662775.0000000007920000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2866783271.0000000007720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2858338720.0000000005980000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2869659382.0000000007930000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2866874996.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2852023359.00000000043F3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.2835253359.0000000003201000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2868258629.00000000077D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2867384377.0000000007770000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2858583023.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2867825853.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2867712717.0000000007790000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2870061029.0000000007950000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.2870782033.0000000007980000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:52:28
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Networks!.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Networks!.exe"
Imagebase:	0x7a0000
File size:	2'360'320 bytes
MD5 hash:	01E7E40055D24780359493DECF90AC21
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000006.00000002.2239294193.0000000006173000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000006.00000002.2239294193.000000000607A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2215379715.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.2232333043.0000000004A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs Detection: 56%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:52:37
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Networks!.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Networks!.exe"
Imagebase:	0x350000
File size:	2'360'320 bytes
MD5 hash:	01E7E40055D24780359493DECF90AC21
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2303284343.000000000297D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2324492421.0000000004679000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000007.00000002.2327789577.0000000005D23000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:52:51
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Networks!.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Networks!.exe"
Imagebase:	0xa0000
File size:	2'360'320 bytes
MD5 hash:	01E7E40055D24780359493DECF90AC21
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000008.00000002.2274074926.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000008.00000002.2271006345.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000008.00000002.2274766919.00000000036F9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:52:59
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Roaming\Networks!.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Networks!.exe"
Imagebase:	0x940000
File size:	2'360'320 bytes
MD5 hash:	01E7E40055D24780359493DECF90AC21
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000009.00000002.2363417540.0000000003E7B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:53:52
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1336
Imagebase:	0x9b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	91%
Signature Coverage:	9%
Total number of Nodes:	67
Total number of Limit Nodes:	4

Executed Functions

Function 05BF2CF1 Relevance: 16.2, Strings: 12, Instructions: 1180COMMON

Download Yara Rule

Strings

$^q, xrefs: 05BF31A7
$^q, xrefs: 05BF368A
$^q, xrefs: 05BF2FF3
$^q, xrefs: 05BF3257
$^q, xrefs: 05BF369A
$^q, xrefs: 05BF3267
4, xrefs: 05BF3735
,bq, xrefs: 05BF381A
$^q, xrefs: 05BF2FE3
$^q, xrefs: 05BF3631
$^q, xrefs: 05BF31B7
$^q, xrefs: 05BF3641

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312445597
Opcode ID: d4268e9f85acb34151ccde302d72bd8840bc1f52a018fe41a57a9a1cc4b8bd2b
Instruction ID: 18941ba360bcd650f50ad38bb6c79dff966a99944b96c5c8a23f4c50c2fa2ba0
Opcode Fuzzy Hash: d4268e9f85acb34151ccde302d72bd8840bc1f52a018fe41a57a9a1cc4b8bd2b
Instruction Fuzzy Hash: 00B2F734A002189FDB14DFA8C894BADB7F6FB88700F158599E605AB3A5CB71ED85CF50

Function 05BF3087 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$^q, xrefs: 05BF368A
$^q, xrefs: 05BF31A7
$^q, xrefs: 05BF3257
4, xrefs: 05BF3735
,bq, xrefs: 05BF381A
$^q, xrefs: 05BF3631

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q
API String ID: 0-2546334966
Opcode ID: 45878c577fb2d5b91e3e944120aa0e28c0f16aa6429ded9d3ec8ca6bbbcea1b6
Instruction ID: 225b60a26dfaf3663643fa3df01a45d3d8ca1ea36fde282be8280a15412626e3
Opcode Fuzzy Hash: 45878c577fb2d5b91e3e944120aa0e28c0f16aa6429ded9d3ec8ca6bbbcea1b6
Instruction Fuzzy Hash: 1322E734A00219DFDB24DFA4C994BA9B7B2FF48700F1485A9E609AB395DB30AD85CF50

Function 013DB178 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 013DB89B
pbq, xrefs: 013DBD32
xbaq, xrefs: 013DB2A5
TJcq, xrefs: 013DB31A

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: 53419b02b67baebd2d9cf5d72df8dd65937dde5dda1f1b329a053f68f5cdd7e4
Instruction ID: 40576d87a928103e235f4a81af01d09fea5176eb9b928c0f460f78bde3e3dd9d
Opcode Fuzzy Hash: 53419b02b67baebd2d9cf5d72df8dd65937dde5dda1f1b329a053f68f5cdd7e4
Instruction Fuzzy Hash: 22A2B575A00228CFDB65DF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Function 05D5B928 Relevance: 3.0, Strings: 2, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 05D5BA47
8, xrefs: 05D5BA34

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID: fcq$8
API String ID: 0-89531850
Opcode ID: 893ddf0dbff8ba0e05f8fa4df6c3440419a11974d2a8f334d741f27f5b7ccc34
Instruction ID: 12334d40b6526e6fbc7cd60c5479c5e4e723c76fb2ea129b4ba0992da7d8a9dc
Opcode Fuzzy Hash: 893ddf0dbff8ba0e05f8fa4df6c3440419a11974d2a8f334d741f27f5b7ccc34
Instruction Fuzzy Hash: 4942C475D00629CBDB64DF69C850AD9B7B2BF89310F1486EAD44DA7351EB30AE85CF80

Function 013D6BB8 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 013D6CAA
4'^q, xrefs: 013D6C7F

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 6c5e66f72990e3891f29f371f6764da0e8ea43f729625412e627afd60f6556d3
Instruction ID: 16e8a868a07bdb8b5bc211720e0ea3b988352061fbb9dd363ad3489dc0c6e3a2
Opcode Fuzzy Hash: 6c5e66f72990e3891f29f371f6764da0e8ea43f729625412e627afd60f6556d3
Instruction Fuzzy Hash: 9671FFB4E046099FD748EF6AE4606ADBBF3FBC4700F14C52AD4449B268DB3A59068F40

Function 013D6BC8 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 013D6CAA
4'^q, xrefs: 013D6C7F

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: cd6e082fab11c5c10bbef958fef3c84bebcbb40d10deca78818d4fb27249a4dd
Instruction ID: 088e402f079ecbd6aaee1a15ae0c0df1835e57c741ecc0051083d7240cc9491d
Opcode Fuzzy Hash: cd6e082fab11c5c10bbef958fef3c84bebcbb40d10deca78818d4fb27249a4dd
Instruction Fuzzy Hash: 6A710FB4E046099FD70CEF6AE46069EBBF3FBC4700F14C52AD4449B268DB7A99068F50

Function 05D5B918 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 05D5BA47
h, xrefs: 05D5BA28

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID: fcq$h
API String ID: 0-1849521214
Opcode ID: ebdddefaa1d3bdfddd5022bcc4617747465743a66ecb42f4b0663c56b53af916
Instruction ID: 6524c56a4cd8fb784a5be54e87f928e33af4293acc567bfb77f0d821f2d86448
Opcode Fuzzy Hash: ebdddefaa1d3bdfddd5022bcc4617747465743a66ecb42f4b0663c56b53af916
Instruction Fuzzy Hash: 9C61F371D006298BEB64DF6ACC50BD9FBB2BF89310F14C2AAC44DA7254EB305A85CF50

Function 05D52EB8 Relevance: 1.9, Strings: 1, Instructions: 601COMMON

Download Yara Rule

Strings

(bq, xrefs: 05D52F88

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 4ff6a712e0b176a682d1f2f020a413b75366c52158361e653414d21606471878
Instruction ID: 3cdc2b28c4ca8432144aca77720c99dc92fe21c44aea55d0023111d79e8af188
Opcode Fuzzy Hash: 4ff6a712e0b176a682d1f2f020a413b75366c52158361e653414d21606471878
Instruction Fuzzy Hash: D0326B75A0121A8FCB15DF69C4A4A6EFBF2FB88350F14892AD956D7740DB34E806CB80

Function 05E7EFA0 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

Te^q, xrefs: 05E7F26E

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 35c43f7a8a82a769d1d92e511e49dc921850341c7a6cb59c10a1d672760c1167
Instruction ID: 2efc0aa2da15a131af190a53e4b24d4b05b8585f0f3940456902ea00ced0b0e8
Opcode Fuzzy Hash: 35c43f7a8a82a769d1d92e511e49dc921850341c7a6cb59c10a1d672760c1167
Instruction Fuzzy Hash: 69F10174E0521CCFEB64CF69D994BA9BBF2BB49304F10A1AAD459A7350EB705E85CF00

Function 05D5E6DB Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05D5E795

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4a21bc62c8e2e030ce58d1d21b3fd9f9037162d747e1b5cd5a2f9a7d17fc69e5
Instruction ID: fa008baf9473ad2f0ba3de329999441473c3bc52c9d35216d267132110691725
Opcode Fuzzy Hash: 4a21bc62c8e2e030ce58d1d21b3fd9f9037162d747e1b5cd5a2f9a7d17fc69e5
Instruction Fuzzy Hash: DC4198B9D042589FCF10DFAAD880ADEFBB5FB49320F10A42AE819B7210D735A941CF55

Function 05D5E6E0 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05D5E795

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4b25fbfd7cf1bef2ec251824a7e9797ee3683c6dc5dba4484a755ce30938b1d3
Instruction ID: dd97b2ca1aa9fc4bad7705e01a2d6febeece5e03d8ef608df5689524f983b50e
Opcode Fuzzy Hash: 4b25fbfd7cf1bef2ec251824a7e9797ee3683c6dc5dba4484a755ce30938b1d3
Instruction Fuzzy Hash: 7E41A9B8D002589FCF10CFAAD880ADEFBB5FB49320F10A02AE819B7210D735A941CF55

Function 05D5FBD0 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05D5FC5E

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 51566319d0b4448e1f0a3823d6b7fafe7bcd32a90d3230a1dafa70fa38e5d448
Instruction ID: 1d0ef346561ded214c91fc7b7c8bec23d024414fda053b620fee20c577533cb2
Opcode Fuzzy Hash: 51566319d0b4448e1f0a3823d6b7fafe7bcd32a90d3230a1dafa70fa38e5d448
Instruction Fuzzy Hash: 7D31C8B4D012199FCF10CFA9D984AAEFBF1BB49320F20942AE819B7200C734A945CF94

Function 05D5FBC8 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05D5FC5E

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b9d033f6cbfeb4ab215be0ca9030f2b306faac7e5a82162c632ffb25c024f973
Instruction ID: 4d3eaab04efdd97250253f168085038805244374c49c79a1c08f2253c7cc7ce0
Opcode Fuzzy Hash: b9d033f6cbfeb4ab215be0ca9030f2b306faac7e5a82162c632ffb25c024f973
Instruction Fuzzy Hash: 5131AAB5D112199FCF10CFA9D985AAEFBF1BB49320F10942AE819B7240C738A945CF94

Function 05D598B0 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05D59B40

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: b03302f1703a2a2cf3b125ff5d3d0afbe1d70cb917b830ac70c0df7234b9d4ac
Instruction ID: f8c1c071469c6ab81c7da3c0c76c0abf2ea9ef0a3679b24b41c31e5960b20708
Opcode Fuzzy Hash: b03302f1703a2a2cf3b125ff5d3d0afbe1d70cb917b830ac70c0df7234b9d4ac
Instruction Fuzzy Hash: 08C13674D04218CFEF14CFA9C9A4BADBBF2FB49314F1091AAD849A7254DB759984CF00

Function 05D598A0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05D59B40

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: decb08b2bd9ff8d7a91bcd90a953f7a1668f0abbea056b296c14a63ea95386a9
Instruction ID: 05cc3e9c2db915a32ffad2f7a4127b8894edfc0d693bc830c52e74d9b3ac3a99
Opcode Fuzzy Hash: decb08b2bd9ff8d7a91bcd90a953f7a1668f0abbea056b296c14a63ea95386a9
Instruction Fuzzy Hash: F4C12574D04218CFEF24CFA9C9A4BADBBF2FB49315F1091AAD849A7254DB759984CF00

Function 05E7FB00 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

Te^q, xrefs: 05E7FB84

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 6fb0bec8e1479bd895b5bd1dc6af1146c3138398a4f726be21e637044931aad2
Instruction ID: cceb29dc3fb2c00a9a5ac0efc4c6cb40cecfd15a80ed64538735a946daefbf7d
Opcode Fuzzy Hash: 6fb0bec8e1479bd895b5bd1dc6af1146c3138398a4f726be21e637044931aad2
Instruction Fuzzy Hash: BEA1F274E0420CCFEB14CFA9D984BEDBBF2BB89314F20A4AAD459A7255DB705985CF00

Function 059E7C48 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

Te^q, xrefs: 059E7DF6

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 1582b9126777319ff68abef67598d5bf72f92cffc6064bc25f4f5840cab70d67
Instruction ID: e93db04c35061cc204effc572ac9f588765232a0c4655d871e1c1a798c531184
Opcode Fuzzy Hash: 1582b9126777319ff68abef67598d5bf72f92cffc6064bc25f4f5840cab70d67
Instruction Fuzzy Hash: F9B10374E05248CFDB29CFA9D984BADBBF6FB88300F1498AAD409A7355DB705985CF01

Function 059E7C38 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

Te^q, xrefs: 059E7DF6

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 811c802c2e57aa8dd56c704ba91ce81ca391df8e0285259dac254e5a7c1c5ef0
Instruction ID: 6238c4a13b76c47c1980c20648973a7efe1516d0645d3ca49b4710d8efac8039
Opcode Fuzzy Hash: 811c802c2e57aa8dd56c704ba91ce81ca391df8e0285259dac254e5a7c1c5ef0
Instruction Fuzzy Hash: FEB1E274E05248CFDB29CFA9D984BADBBF6FB88301F1484AAD409A7355EB705985CF01

Function 059E8048 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

Te^q, xrefs: 059E7DF6

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 56b80181764c9deebbdd8ff7441fcba7d73e1f17c1d90abebdd76700d4159f94
Instruction ID: f43600316a7ca5b53edc16948f386e86baf814b29f694d588e0a6a788f88a03c
Opcode Fuzzy Hash: 56b80181764c9deebbdd8ff7441fcba7d73e1f17c1d90abebdd76700d4159f94
Instruction Fuzzy Hash: 7AA1F074E05248CFDB25CFA9D988BADBBF6FB48301F1498AAD409A7254EB705D85CF01

Function 059E6E88 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5faed833d8ddfe7a954c4800489be414bfc283539be6f00e17506a49adfab71
Instruction ID: 35dd106d1fdfcbc2ee320cda05ab45a8ba9f25cd6351aa124ead35dc75637e01
Opcode Fuzzy Hash: e5faed833d8ddfe7a954c4800489be414bfc283539be6f00e17506a49adfab71
Instruction Fuzzy Hash: 8A814570D09258CFEB25CFA9D944BEDBBF6FB49301F1098AAD409AB252DB704984CF01

Function 05D5E44B Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dee7e4b944c9e21be367bae71c1d3137e0bdc2b86b295621aa96f66b0908ec3
Instruction ID: b8c745e600f60b75fecd793bc10d71a19de17668ce838b667e56492c2d4cd7a0
Opcode Fuzzy Hash: 0dee7e4b944c9e21be367bae71c1d3137e0bdc2b86b295621aa96f66b0908ec3
Instruction Fuzzy Hash: 06712C74E01209DFDB04EFA9D594AAEBBF6FF88310F14846AE509AB354DB349942CF50

Function 05D5E458 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d073e33ae79c076d41dd85e8dab6621d77ecbc0c78e08f5a32931cdf9479a14e
Instruction ID: ba8f8913d96e2b7311d2b21dab7cccc91b9a70933bf82bb886a6dff2ad9c2478
Opcode Fuzzy Hash: d073e33ae79c076d41dd85e8dab6621d77ecbc0c78e08f5a32931cdf9479a14e
Instruction Fuzzy Hash: F0710C74E01209DFCB04EFA9D594AAEBBF6FF88310F14846AE509AB354DB349945CF50

Function 05D56AC8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65759cdb93142e934f8633660a8a9e768d621b7516f5aac18d411602fc413f5
Instruction ID: 193d2c4b145eaceb131cfeaa0d5abaf5067134c93393490f49404dd23f6c2be4
Opcode Fuzzy Hash: c65759cdb93142e934f8633660a8a9e768d621b7516f5aac18d411602fc413f5
Instruction Fuzzy Hash: 14510374D05218CFDF14DFA8D954BEDBBF2FB49322F90502AD849AB254DB349946CB04

Function 05D56AD8 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa93aa2b45098afdad0d6416854f3606044b9382232074ff88b9c7cac878fe52
Instruction ID: 756483d618629b7404af1b4f325fe84a403b07321480194fb7747f8d3db18c4a
Opcode Fuzzy Hash: aa93aa2b45098afdad0d6416854f3606044b9382232074ff88b9c7cac878fe52
Instruction Fuzzy Hash: BF511378D05218CFDF14DFA8D954BEDBBF2FB4A322F90502AD849AB250DB749946CB04

Function 059E0040 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b8479adc961e17a8b53324f3ebd261f60f8000138230758950801d047870a5
Instruction ID: a8fb74129ba210394565c3f7e7d431d667286a986d91d03ecbaf592df1af15a0
Opcode Fuzzy Hash: 57b8479adc961e17a8b53324f3ebd261f60f8000138230758950801d047870a5
Instruction Fuzzy Hash: 5041E870D052288BDB69CF6AC9447EEBBF6BF89300F14C5A9C40DA6355EB745A85CF00

Function 05BF9E28 Relevance: 7.7, Strings: 6, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05BF9FF2
4'^q, xrefs: 05BF9F72
4'^q, xrefs: 05BF9EFA
pbq, xrefs: 05BF9F7F
4'^q, xrefs: 05BF9EDC
4'^q, xrefs: 05BF9EAC

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq$4'^q$4'^q$4'^q$4'^q$pbq
API String ID: 0-723292480
Opcode ID: ffacf361ad35f7e9cf0328b997fccef73f7af10b8107ebac484b1e1b15ee6a5e
Instruction ID: a02852ec3a6bba37d50802e3011f2aacfcf3c1b39ee59a4b27c6d8b77b4adebe
Opcode Fuzzy Hash: ffacf361ad35f7e9cf0328b997fccef73f7af10b8107ebac484b1e1b15ee6a5e
Instruction Fuzzy Hash: D5518370A002069FC708EB79C8507AEBBF7BFC9300F24896DD5499B355DF34A9468BA1

Function 059A0048 Relevance: 4.3, Strings: 2, Instructions: 1778COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059A1559
4'^q, xrefs: 059A1549

Memory Dump Source

Source File: 00000000.00000002.1884421172.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: bf94791f978152413d57e5b99f7c9db04179985ba0f1a134a37d2c83916c05db
Instruction ID: 0d861adc62ba673a8782fbf52f359fe6010f3582c12903c77fa01ffdc0cbc8ae
Opcode Fuzzy Hash: bf94791f978152413d57e5b99f7c9db04179985ba0f1a134a37d2c83916c05db
Instruction Fuzzy Hash: 8DF2B270D093889FDB16DBB8CC68BAE7F75BF46300F15419AE141AB2E2C7785845CBA1

Function 05BF8F68 Relevance: 4.2, Strings: 3, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 05BF94BC
Hbq, xrefs: 05BF943D
Hbq, xrefs: 05BF946C

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq
API String ID: 0-2297679979
Opcode ID: e07d6de5648f38d2c7484bd95952bb6b97720790deb2a330499975ff2de4ba2c
Instruction ID: 93b0d9d431b385ddf9e7682e50547fcf1a626e4dfb29b63e26ff91b36783b12b
Opcode Fuzzy Hash: e07d6de5648f38d2c7484bd95952bb6b97720790deb2a330499975ff2de4ba2c
Instruction Fuzzy Hash: 84125F34A006059FCB24DFA9D494AAEBBF2FF88700F148569E5469B391DB35EC4ACF50

Function 05BFA820 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 05BFAA3A
4'^q, xrefs: 05BFAB99
4'^q, xrefs: 05BFAB19

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: f8589fd44231c26225081f0f2382a84268c6986fa7224769f3646ab1f6cd4439
Instruction ID: cf2b955abfc5e3924c515066d5b67171801294f3fd330efc30cdee989a2dfc9b
Opcode Fuzzy Hash: f8589fd44231c26225081f0f2382a84268c6986fa7224769f3646ab1f6cd4439
Instruction Fuzzy Hash: 06F1B834A10218DFCB08DFA8D999A9DBBB2FF88300F158559E506AB365DB71FC46CB50

Function 05BFF1F0 Relevance: 4.1, Strings: 3, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05BFF355
(bq, xrefs: 05BFF329
Hbq, xrefs: 05BFF381

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq$(bq$Hbq
API String ID: 0-2835675688
Opcode ID: e73e80759a1986af6df9035f900cbacddafdd72799f24ff74214a4b55d9b679b
Instruction ID: 3afcb7ec603affd52c86d63a5f35094ddee4c333d2a64b292228322dde4676c0
Opcode Fuzzy Hash: e73e80759a1986af6df9035f900cbacddafdd72799f24ff74214a4b55d9b679b
Instruction Fuzzy Hash: EBE1F034A11209DFCB18EF64D4949AEBBB2FF89310F108569E506AB364DB30ED46CB91

Function 05BF545A Relevance: 3.1, Strings: 2, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05BF57D3
$^q, xrefs: 05BF57E3

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 3031c02dc4bc5ab0e93f2c85df55bd2bac0b52c44777e7ac65b555ff80d3aef7
Instruction ID: 2a510c4c4d390bb1dfbcab81209b913ebf0ec17afac5ce9eafc8d5d07ca11829
Opcode Fuzzy Hash: 3031c02dc4bc5ab0e93f2c85df55bd2bac0b52c44777e7ac65b555ff80d3aef7
Instruction Fuzzy Hash: F9326F34A00219DFCB15DFA5D894ABEBBF2FF48300F148455E911AB395DB34A94ACF61

Function 059A18C0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 059A1D56
4'^q, xrefs: 059A1D66

Memory Dump Source

Source File: 00000000.00000002.1884421172.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: bf32fa38d30ee78f9e3e0132615c5be6e7d358e264d07d308293228c6f0d45b1
Instruction ID: 06a37e11aaa6ec3bce210f001106f6bd97f73c6d0145485c659c8a71ed0f69ec
Opcode Fuzzy Hash: bf32fa38d30ee78f9e3e0132615c5be6e7d358e264d07d308293228c6f0d45b1
Instruction Fuzzy Hash: A1F1E234E05208DFDF28DFA8E4986ECBBB6FF89315F204529E446A7254DB355881DF90

Function 05BF8618 Relevance: 2.8, Strings: 2, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 05BF8879
(bq, xrefs: 05BF862C

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: e5ffd844ef7719840b2555ad41449b01d9bc25eee7c351ff992678aaccf97029
Instruction ID: 9fdc98c5e69233da71ae473dd029605f424b400e33ef6fdcfa2dff52ff1e4256
Opcode Fuzzy Hash: e5ffd844ef7719840b2555ad41449b01d9bc25eee7c351ff992678aaccf97029
Instruction Fuzzy Hash: CED16A35700606CFCB24DF29C484A6AB7F2FF89310B65C9A9E55A9B355DB30F846CB90

Function 059A2858 Relevance: 2.7, Strings: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 059A2AE9
4'^q, xrefs: 059A2AD9

Memory Dump Source

Source File: 00000000.00000002.1884421172.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 69d587f8277890fc65f3fec4e21c06344c45605339321f005d8669d9db80dd96
Instruction ID: 98c5378483a3eaf9ecfc511dbfafba35827192313abe27db73564cc950e46df4
Opcode Fuzzy Hash: 69d587f8277890fc65f3fec4e21c06344c45605339321f005d8669d9db80dd96
Instruction Fuzzy Hash: 3391BE35E04208CBCF18DFA9D5A86ECBBB6FF89315F50842AD456B7294CB355881CF60

Function 05BF7048 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05BF71C3
(bq, xrefs: 05BF716C

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: c56e1f803590fb46109c6959afcf16f4fea11c643cce2a7ddc569fb0fe1029e9
Instruction ID: 55611187727b82b16920595eba4ab5ad96cee9ab91c33ef50f6406e3fe723ea6
Opcode Fuzzy Hash: c56e1f803590fb46109c6959afcf16f4fea11c643cce2a7ddc569fb0fe1029e9
Instruction Fuzzy Hash: 74518D313042158FCB159F29D854BAE3BA2FF84351F2485A9F9068B391CF39ED56CB90

Function 05BF4A88 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

(bq, xrefs: 05BF4B8E
Hbq, xrefs: 05BF4C1D

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: d095da4f14b6d32bdb60408d6bfaeacda5f850db9e5c1e59e828fd5fe8865ee0
Instruction ID: 687637f8b5ba8716c075d037fd70f34a242f9e1f7e89cada30b291cfb9d71107
Opcode Fuzzy Hash: d095da4f14b6d32bdb60408d6bfaeacda5f850db9e5c1e59e828fd5fe8865ee0
Instruction Fuzzy Hash: 665189347042158FC719AF29C46452E7BB2FFCA34072549ADE6469B3A1DF35EC0ACB91

Function 05BF11C0 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

(bq, xrefs: 05BF12F8
Hbq, xrefs: 05BF1324

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 27fd20dd2d70f4c34c71f2618f72e04a0ccb2666c3809d77680471bb8de8ed4c
Instruction ID: 442e53f2c0cb7cd8c40ca18fe2925594e017cddc95c9c7265ec6ffd4996051c6
Opcode Fuzzy Hash: 27fd20dd2d70f4c34c71f2618f72e04a0ccb2666c3809d77680471bb8de8ed4c
Instruction Fuzzy Hash: 3351DE312047458FD324DF7AC45031ABBF2FF96360F108A69E58ACBA91DA38E849CB50

Function 05BF9E18 Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

pbq, xrefs: 05BF9F7F
4'^q, xrefs: 05BF9EAC

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q$pbq
API String ID: 0-3872760177
Opcode ID: 0e2b82d2b22e70a9aea2b704602cae1a404eecee124cdf4cff2db11d5b4c766b
Instruction ID: 7e66a8cf8d9bd293af12bf07238ced6e93d3023af772378a69b1d53133d69896
Opcode Fuzzy Hash: 0e2b82d2b22e70a9aea2b704602cae1a404eecee124cdf4cff2db11d5b4c766b
Instruction Fuzzy Hash: 9D41C470A002069FCB04EF78C8407AEBBF3FFC8300F14892DE5499B255DB75A9468BA1

Function 05BFB700 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,bq, xrefs: 05BFBA7B

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: ab39df87f39bea36c76872bfdf80ccce3ae5ae2707a99f460c7fd44073141ce7
Instruction ID: c791c6c1c73b2dcabd05676b1f39616dfc89709653f3427324aeddb816236ded
Opcode Fuzzy Hash: ab39df87f39bea36c76872bfdf80ccce3ae5ae2707a99f460c7fd44073141ce7
Instruction Fuzzy Hash: 20521A75A002298FDB24DF68C991BEDBBF2FB88300F1541D9E649AB351DA309D85CF61

Function 05BF6040 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_^q, xrefs: 05BF62D0

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: c8ce12012588f0383eb1fc2727ae1ead03a5429fb72a474f1cbd1faf8ac3fc7f
Instruction ID: 1223e1dc4da08353b3acb63a17042370b07254b8fadd83e7901627fad1eca8a3
Opcode Fuzzy Hash: c8ce12012588f0383eb1fc2727ae1ead03a5429fb72a474f1cbd1faf8ac3fc7f
Instruction Fuzzy Hash: C9226E35A002059FDB14DFA9D4A4AADBBF2FF88300F1485A9EA069F391DB71EC45CB50

Function 05D5EF34 Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05D5F1A7

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d786e3dfea5371e7f0c08bcae90c9edec1880916c3a8c80f39601c3175adf7a7
Instruction ID: 9a94241ed37fb0c2c69a539566ca848c1a4071b985e9e8c7d90564f89513bb7c
Opcode Fuzzy Hash: d786e3dfea5371e7f0c08bcae90c9edec1880916c3a8c80f39601c3175adf7a7
Instruction Fuzzy Hash: 80A123B4D0021A8FDF10CFA9C885BEEBBF1BB49314F14916AE859AB240DB749985CF41

Function 05D5EF40 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05D5F1A7

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c34fc98db37583b905afea1890fb6fec1f322dd84ea917e83213e0376232fadf
Instruction ID: 5368bff4b67dacb17556e54b8389c34e7687b1f70628b642c656a4c560a3a0f6
Opcode Fuzzy Hash: c34fc98db37583b905afea1890fb6fec1f322dd84ea917e83213e0376232fadf
Instruction Fuzzy Hash: 3EA123B4D002198FDF10CFA9C885BEEBBF1BB49314F14916AE859AB240DB749985CF45

Function 05D5F9B0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D5FA8B

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1642b749e37561f4fce961c238d1cdd362719812912a75a833f4743152e82af7
Instruction ID: 81bdb72965e9fa63335bb2a18c68f95a352b9f0c7347508a40d651cb29ce4cf8
Opcode Fuzzy Hash: 1642b749e37561f4fce961c238d1cdd362719812912a75a833f4743152e82af7
Instruction Fuzzy Hash: 0A41BAB5D012598FCF00CFA9D984ADEFBF1BB49310F20942AE819BB250D338AA45CF54

Function 05D5F9B8 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D5FA8B

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 658b0351bd919e96e5f2efe6141a3709a063e8ee1cf3c4e8ab2aa4390621b3b3
Instruction ID: bb021d36ffb6d278b025f808657744f9cc8157ea57eb9d4f242b69850f0a9e2b
Opcode Fuzzy Hash: 658b0351bd919e96e5f2efe6141a3709a063e8ee1cf3c4e8ab2aa4390621b3b3
Instruction Fuzzy Hash: 4041ABB5D012599FCF00CFA9D984ADEFBF1BB49310F20902AE819B7250D774AA45CF55

Function 05D5F858 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D5F902

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5ecae3ff66c9f56dc0517fd5391a3c9386390778715cfc7845859b53d7373820
Instruction ID: 95f12f74ec783031626c15041345d4fc8dffddaeaa22140678dcd7e05715b237
Opcode Fuzzy Hash: 5ecae3ff66c9f56dc0517fd5391a3c9386390778715cfc7845859b53d7373820
Instruction Fuzzy Hash: B031A8B8D04259DFCF10CFA9D880ADEFBB5BB49320F10A42AE819BB210D735A941CF55

Function 05D5F851 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D5F902

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3639f26facfb8c464cdab431cbc9ccc5561e91145770c3af2ac7acc1f49a6b5e
Instruction ID: 0db37580def57d37121e4c735abed4844a41648522d8a531302f2801ea9a9e4c
Opcode Fuzzy Hash: 3639f26facfb8c464cdab431cbc9ccc5561e91145770c3af2ac7acc1f49a6b5e
Instruction Fuzzy Hash: 7831B9B9D00259DFCF00CFA9D980ADEFBB1BB49310F10A42AE819BB210D734A901CF54

Function 05C0D938 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05C0D9DC

Memory Dump Source

Source File: 00000000.00000002.1885529486.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_new policy.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 949cebded4edea88bd8d5787792a0d4d4f35d5e24889eba0a913b2b2aea9dead
Instruction ID: bb08c7371b8342cb3ca43de954068847ee0137e67e7d08756d1e6d9aa09f17ba
Opcode Fuzzy Hash: 949cebded4edea88bd8d5787792a0d4d4f35d5e24889eba0a913b2b2aea9dead
Instruction Fuzzy Hash: CF31A7B8D042189FCF10CFA9D884ADEFBF1BB49310F20A42AE819B7210D735A945CF94

Function 05D5F2F3 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05D5F3A7

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9fdaa387f33415a4da341236a31ceaed4f2099dca8ba516551de96df1eb99b0b
Instruction ID: 3df494fb6a742e75433565d2226a137c2aeca0a330243e19579998a53f7a6a6c
Opcode Fuzzy Hash: 9fdaa387f33415a4da341236a31ceaed4f2099dca8ba516551de96df1eb99b0b
Instruction Fuzzy Hash: 3741BBB5D012599FDB10DFAAD884AEEFBF1BB49310F24902AE419B7240D738A945CF54

Function 05D5F2F8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05D5F3A7

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dbc3466f93a6a092e9d688e6b7e6a4c34469af1da9a195563f6e82295e0f97d4
Instruction ID: 61f6080d8d879e09ada97f2b258b4af68e288928133062a1bea7ee6c1bf88dc3
Opcode Fuzzy Hash: dbc3466f93a6a092e9d688e6b7e6a4c34469af1da9a195563f6e82295e0f97d4
Instruction Fuzzy Hash: F731BBB5D012599FDB10DFAAD884AEEFBF1BB49310F24902AE419B7240D738A945CF54

Function 05D5B5F8 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 05D5B692

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 150eb09b3577ff13042acb38e79f0a668727ccbb9f83740b1faaa42a54364514
Instruction ID: 158b34cd871d73270295fcac2fae1c4c792f6ac99462dec67ae59207cb97f383
Opcode Fuzzy Hash: 150eb09b3577ff13042acb38e79f0a668727ccbb9f83740b1faaa42a54364514
Instruction Fuzzy Hash: AF31CAB5D012199FDF10CFA9D981ADEFBF5BB49310F14942AE819B7200C738A946CF95

Function 05D5B600 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 05D5B692

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f79ab2944bdbebbe77b61156f248beef5225a98a5609d89df6204ba0210a5531
Instruction ID: 94673ae0c44157fc91442dd5cce4b174b8181af5cadc52b01868522279127d3f
Opcode Fuzzy Hash: f79ab2944bdbebbe77b61156f248beef5225a98a5609d89df6204ba0210a5531
Instruction Fuzzy Hash: 4031DBB4D012189FCF10CFA9D980ADEFBF5BB49310F14942AE819B7200C738A945CF94

Function 05BFB6D8 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

,bq, xrefs: 05BFBA7B

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 9d5c230bf898c30f22276ea68358ad5811268a1539b5a031cb8ec34e2802e28f
Instruction ID: 89a21af1c338eb1beafd3637801d9d514abeb98a8d8366e685c79d0bd0bd8f9a
Opcode Fuzzy Hash: 9d5c230bf898c30f22276ea68358ad5811268a1539b5a031cb8ec34e2802e28f
Instruction Fuzzy Hash: E6C14D74A001298FDB14DB68C955BDDBBF2FF88700F1581D9E609AB3A1DA30AD85CF61

Function 05BF67C8 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

Pl^q, xrefs: 05BF69B0

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: Pl^q
API String ID: 0-2831078282
Opcode ID: 51dbf406860b62d43823e1774f143a5989e7257a65cd407418982e23cc169743
Instruction ID: 1de51b8a921c3b1bc7afeebe9886d31f0f56439244281fa2f7bc77a40cfff084
Opcode Fuzzy Hash: 51dbf406860b62d43823e1774f143a5989e7257a65cd407418982e23cc169743
Instruction Fuzzy Hash: EC91F270B001188FCB14EF68C484A6A7BF6FF89710B1184A9EA06DB3A5DB71ED45CB91

Function 05BFA811 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05BFAA3A

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 30e98ff65c52dbfb2da7001843334b2b341de5deec0883b0850f886c18474fb5
Instruction ID: 2f7b7f6a1d53519d9c4815ad74f20cd5292745ab8da02ceeaa970b161968b192
Opcode Fuzzy Hash: 30e98ff65c52dbfb2da7001843334b2b341de5deec0883b0850f886c18474fb5
Instruction Fuzzy Hash: A5A19B34A10118DFCB08DFA8D899A9DBBB2FF88301F558555E506AB365DB70FC46CB50

Function 05BF1770 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

(bq, xrefs: 05BF17E4

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d4af26eb54e4f07f8a595744fd1b984800f01137c70dfc4839348b7e40bd875f
Instruction ID: 9c3504a333b483105ace2422a8b4f3829782b6d2ddc47f3654a3ff1117a3d631
Opcode Fuzzy Hash: d4af26eb54e4f07f8a595744fd1b984800f01137c70dfc4839348b7e40bd875f
Instruction Fuzzy Hash: DD519D35A00616DFCB10DF69D480A6AFBB5FF85320F558AA9EA199B341C730F856CBD0

Function 05BF07C0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

pbq, xrefs: 05BF0870

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: df5c17e415a0af77e886344c7118583e9da80e80a2ea105a624d33223f51721d
Instruction ID: dcf50776c27a3cb79f4b99555de898540eb62784c4592227a35585207e13532a
Opcode Fuzzy Hash: df5c17e415a0af77e886344c7118583e9da80e80a2ea105a624d33223f51721d
Instruction Fuzzy Hash: 20515E76600104AFCB499FA8C955D69BBF3FF8C31471684D4E2099B372DA32DC22EB51

Function 05BFF918 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

(bq, xrefs: 05BFFA44

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: de9087b49c9e3611b39c51e4cf127f892090320df096347dee7b53f8a1725055
Instruction ID: 88b0798cffd25c6e7ffc6d7574f525bee6aa6fada03e936bb8496df3db0a06c9
Opcode Fuzzy Hash: de9087b49c9e3611b39c51e4cf127f892090320df096347dee7b53f8a1725055
Instruction Fuzzy Hash: 1C518136704214AFCB059F69D814E697FB6FF89720B1680E6E209CF3B2DA31D816DB51

Function 05BFE8B8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05BFE902

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 5cc5eb72cd0060fa107b17bd8610bb16b48146efd7fde1fc9edd593d300f07de
Instruction ID: b9bf84501277204d95c6d6ce2b9c1b4049cfff62c23868a582808a1840e6f622
Opcode Fuzzy Hash: 5cc5eb72cd0060fa107b17bd8610bb16b48146efd7fde1fc9edd593d300f07de
Instruction Fuzzy Hash: CA418730B106148FCB08EB68D898A6E77B7BFC9700F104559E5069B394CF74AC4ACB95

Function 013DE6D8 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

TJcq, xrefs: 013DE767

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 3594be4a40749301099a3102d6505a50fc894e132d9340e7ea576c0cde835148
Instruction ID: 6e38b12dd14432d83195943d440fd3b11b11eea242ff009bd07984493c0ea460
Opcode Fuzzy Hash: 3594be4a40749301099a3102d6505a50fc894e132d9340e7ea576c0cde835148
Instruction Fuzzy Hash: A551E678D00208DFDB54DFA9E9586ADBBF6FF88304F109469E815AB364EB385949CF40

Function 05BF1068 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

(bq, xrefs: 05BF10B8

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: dc81357663563eb5d5e047b11d327807b8b944b9bb35c663f270c36f27e3ecf8
Instruction ID: cbfbb10c06b46eab1ce799094b4c7e4fe9b752ca4b6e5db18044d8c13230e93c
Opcode Fuzzy Hash: dc81357663563eb5d5e047b11d327807b8b944b9bb35c663f270c36f27e3ecf8
Instruction Fuzzy Hash: 64210436304255AFDB145E6DD854A6E7F67EBCA360F10803AEA05CB360CE319C16C790

Function 05C0EF00 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05C0EF9F

Memory Dump Source

Source File: 00000000.00000002.1885529486.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_new policy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f22d4d379b1bc57db07a4616859a1b9cb2359d1b73bbb078de215779df218684
Instruction ID: 17b1247eb1507c431ca177cc2f2394dc503746abefc8a3640fc1534901b9b250
Opcode Fuzzy Hash: f22d4d379b1bc57db07a4616859a1b9cb2359d1b73bbb078de215779df218684
Instruction Fuzzy Hash: 9831B7B8D042489FCF10CFA9D880ADEFBB5BF49310F20A42AE819B7250C735A945CF94

Function 05BF9C91 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05BF9CD9

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e4439aab315512d112e3fbb98a91c4eec62365100469edde032e327b0024e36b
Instruction ID: 1279f372b87542e103e3dc4a3bde3d6aad4565b57876a2472b55b896ce0c4a83
Opcode Fuzzy Hash: e4439aab315512d112e3fbb98a91c4eec62365100469edde032e327b0024e36b
Instruction Fuzzy Hash: 4A31A536A00105AFCF04DF9CC855A59BBB2FF8C310B1544A9EA059B365DA31EC56CF51

Function 05BF53A0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05BF53DA

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: 227a51110deb33e0133093913d8baec1c208ef3c8b4965ca679feb9641bc0c4a
Instruction ID: e7b4208556b63e957b1a26c30bbc794b628a9e03ad19bfd8bc85016554c340be
Opcode Fuzzy Hash: 227a51110deb33e0133093913d8baec1c208ef3c8b4965ca679feb9641bc0c4a
Instruction Fuzzy Hash: F6217C703041589FCB11CF2EC844AAA7BEAFF89311B144095FD06CB3A1CA71EC51CB20

Function 05BF5390 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05BF53DA

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: f376d76ffe0d75350f891d9b503712fb2d4d121d07d52b0ab0f136d4c6693f63
Instruction ID: 3b0ca0e8b90ce72e0c25d90aaeb70ea02cb5fd226826d83efec553bdc379c280
Opcode Fuzzy Hash: f376d76ffe0d75350f891d9b503712fb2d4d121d07d52b0ab0f136d4c6693f63
Instruction Fuzzy Hash: 1E2150713442489FCB15CF2AC854EAA7BF6FF8A211B154095FD06CB3A1C671EC55CB21

Function 059A0D99 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059A1549

Memory Dump Source

Source File: 00000000.00000002.1884421172.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_new policy.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 6c46581bf7a22ac372305268f1ccb37834e5d5aeb03311f434f3bb2335f60d9c
Instruction ID: 463cf2705db9b5bb548a899957d62729d96c3a45d447fe563bbf6abb8d2682e3
Opcode Fuzzy Hash: 6c46581bf7a22ac372305268f1ccb37834e5d5aeb03311f434f3bb2335f60d9c
Instruction Fuzzy Hash: C6211476D04209CFDB18DFA9C4586FEBBB2FB88301F10842AD012A7290D7395A85CFE1

Function 013D1C11 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

8bq, xrefs: 013D1C3D

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 8a9696f4bbb0961954138aeb1bfda3d0a7d593aa819c050dab25b7a49d6dfe53
Instruction ID: ded0f6a8d655fa2b53088abdd3adf42c202e6754d7699add7742d51bd6a1b90f
Opcode Fuzzy Hash: 8a9696f4bbb0961954138aeb1bfda3d0a7d593aa819c050dab25b7a49d6dfe53
Instruction Fuzzy Hash: C3019E3970120ACFDB46EB28E464BB6B3E6FF85715F1484AAE0058F27AD7759C41CB41

Function 05E66FED Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

M, xrefs: 05E66FFA

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 5e163fdcc53b5aa53cfd63b382de9312afc08fd7f96a4c32a712c8bc09f8d837
Instruction ID: 981b3e1cc25abe60803cab890927d3b6d8ded4245bb3c27f44f47b8f26be9062
Opcode Fuzzy Hash: 5e163fdcc53b5aa53cfd63b382de9312afc08fd7f96a4c32a712c8bc09f8d837
Instruction Fuzzy Hash: 0101D7B4944228CFDB60DF14D888BE8B7B5BB59384F10A8D5D499A7640DB749FC4CF01

Function 05BFC9B9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

E, xrefs: 05BFC9C1

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 7706c63577c3ae88e9351d098d26f09a439637b17a24cf636fe16b03060cff0a
Instruction ID: 9106e6cfbcadb71c65dbb44576cbced2c764005c45201ff023cf46998b7161ba
Opcode Fuzzy Hash: 7706c63577c3ae88e9351d098d26f09a439637b17a24cf636fe16b03060cff0a
Instruction Fuzzy Hash: 71F02775A4414C4BDB95DF7CE8840CCBF61FB59A6574006AED94897242C734590F8B40

Function 059E2704 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

N, xrefs: 059E2712

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 0cb198fcbafeb2b7924f53b0c530eb5649ff72f755a15c33d7e791c51a6ef1ba
Instruction ID: f4fcbc53444ed54629bfc9d88812765965e0c364c52886e7341cbfb570caf016
Opcode Fuzzy Hash: 0cb198fcbafeb2b7924f53b0c530eb5649ff72f755a15c33d7e791c51a6ef1ba
Instruction Fuzzy Hash: AB01B278E01218CFDB61DF64C888BEDBBB6FB49310F14A9A6C409B2650DB745AC0DF55

Function 059E8D02 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

A, xrefs: 059E8D31

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 3fbb24973f97ead19842f5b8df683c06cf604ed1a7ebce6595dd54f279aa8ca9
Instruction ID: 206131e2c1f54b8cb005d845c2c019f0692058877966c401cd402090bbe74cb9
Opcode Fuzzy Hash: 3fbb24973f97ead19842f5b8df683c06cf604ed1a7ebce6595dd54f279aa8ca9
Instruction Fuzzy Hash: 93D05EF8B1821E8FCB04FF24D8183AEB7B6FB85300F505A86D8495B248DBB48D858F51

Function 05BFEB08 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b1f86d3c4430c9cc568d543de55b9c91cc89e302aeea211f3206bb2ffe6f5e
Instruction ID: ba8ec26b16445ce2087a16f06e973b4eb9a102f9d8f1cd9ea6e626b8905d3b8a
Opcode Fuzzy Hash: 67b1f86d3c4430c9cc568d543de55b9c91cc89e302aeea211f3206bb2ffe6f5e
Instruction Fuzzy Hash: AA12DD34B102198FCB54DF64C894AADB7B2BF89300F5185A9D54AAB365DF30ED89CF50

Function 059E3896 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277cdee3abd19a319b5fa42b4b462adfc1bdec2ebdc8429f83d575f2cf20f4ba
Instruction ID: 694b7e416b594f3a11426124ea4629fc8f1373a467efbcb979e502615b5aaef0
Opcode Fuzzy Hash: 277cdee3abd19a319b5fa42b4b462adfc1bdec2ebdc8429f83d575f2cf20f4ba
Instruction Fuzzy Hash: C7A11574E09248DFCB16DFA8C554AADBBF6FB49300F20886AD446AB350D734AE42CF10

Function 05BFEAF8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d572d7f109390b88fa065797e0b4aa87ba05972a43683e30b532317e8676a5a
Instruction ID: 5a47b09355c9def726531d05c6f4e11ae2b56be84f8b96abd877c83a56db2f27
Opcode Fuzzy Hash: 3d572d7f109390b88fa065797e0b4aa87ba05972a43683e30b532317e8676a5a
Instruction Fuzzy Hash: C7A1EB34B002159FDB14DF64C998BA9B7B2BF89300F5085A9E54AAB365DF70ED89CF40

Function 05BFFAB0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7fdf074d0e7dfa8ba7fa45e4ecbb84a0b2dc563b76b2ccfc88483ab6704082
Instruction ID: ef52e04a4b9d60281e7d86804eea7888bd0fe452de86a6df185f96f9ff10252b
Opcode Fuzzy Hash: 3c7fdf074d0e7dfa8ba7fa45e4ecbb84a0b2dc563b76b2ccfc88483ab6704082
Instruction Fuzzy Hash: 2F811B347106149FCB18DF68D498A6DBBB6FF89710F1481A9E906DB3A5DB30EC45CB90

Function 05BF1EE8 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf28e8880a3b96dabc708a0f31dceb73ffae7481c8c27657315c607b173718f
Instruction ID: 083c1844ed9d263731b864c27db298a1a8ba22d767984d621eac63870aeee834
Opcode Fuzzy Hash: dcf28e8880a3b96dabc708a0f31dceb73ffae7481c8c27657315c607b173718f
Instruction Fuzzy Hash: FA816E39B012089FDB14CF69D958AADBBF2FF89311F2544A9E6029B350CB35ED45CB50

Function 05BF7528 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba106f4606cee19f6ea0aee0d04f9cd5268938ffb0c51cf5565a28a27e8d5c15
Instruction ID: 19a58aa8b08c098275ad9f38322003ddd23108d6b2792a15bbd72a0fa19454cd
Opcode Fuzzy Hash: ba106f4606cee19f6ea0aee0d04f9cd5268938ffb0c51cf5565a28a27e8d5c15
Instruction Fuzzy Hash: 2681E575A102189FCB25DFA8C48499EBBF6FF88310B1585E9E9169B360DB30FD45CB90

Function 05BFFAA0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ad6293294aed318a8fd705e27cb10374e843278b42a57cdeccf284cf8e8ef9
Instruction ID: 1a40199ef8b4cba93f059f49f3ce86871281f73247831d7b196e65413767ba80
Opcode Fuzzy Hash: 89ad6293294aed318a8fd705e27cb10374e843278b42a57cdeccf284cf8e8ef9
Instruction Fuzzy Hash: 1B610B34B10614DFCB08DF68D898A6DBBB6FF89710F1485A9E9069B365DB30EC45CB90

Function 05BFA3F0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8930d3b60a347c530bad81c78e275a1f29e955d36831e51c76152ca80f5478b4
Instruction ID: 29687655964f0bb4ae4d1ff1f02d79021b397cf39d6b219ae54548d3e9927fdf
Opcode Fuzzy Hash: 8930d3b60a347c530bad81c78e275a1f29e955d36831e51c76152ca80f5478b4
Instruction Fuzzy Hash: 3A516334B106099FCB04DF68E499AAEBBB6FF88711F10851AF50697364DF30A946CF91

Function 05BFF790 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0375c85051d8ff2c3085180bf8c5a410b803d78b7e71fcfca18210e5898b4a72
Instruction ID: f59329e061c61d1abb07ed76d7ee87a36544e1770fe87c9952a3b7a1e6651ca6
Opcode Fuzzy Hash: 0375c85051d8ff2c3085180bf8c5a410b803d78b7e71fcfca18210e5898b4a72
Instruction Fuzzy Hash: F7414D34300605DFD7299B68D498B3A7BA3FF89700F1485A8E6064B795CB72FC86DB81

Function 05E78D88 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fc9655a04ceb55bd743a48a9b232e5331e0ca57f8a695c717b13863e5b8677
Instruction ID: 0a62e529286245acbb0a084dc3731933872e632be3e8867b7c50e01bc2dfebe7
Opcode Fuzzy Hash: c6fc9655a04ceb55bd743a48a9b232e5331e0ca57f8a695c717b13863e5b8677
Instruction Fuzzy Hash: E951FDB4D0821DCBDB04DFA9D8486EEBBB6FF98304F10A42AD555A3350E7745A45CF50

Function 013D1D08 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f8d0729631569a1772b822146a3f3bb9eab93bd2353083f360a2383390bbff
Instruction ID: 4534144571b26070d6718eb766ad8ee2ddd7480c85336a9286b57fc6edf10715
Opcode Fuzzy Hash: 62f8d0729631569a1772b822146a3f3bb9eab93bd2353083f360a2383390bbff
Instruction Fuzzy Hash: 25416A35A01208CFCB45DF68D494AA9BBF2FF49314F2581AAE805EB366D335AC81CF51

Function 059E7988 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704b7a44ee4e86f8908cc7815b46e0088379d6676f1cefb1f701d9b23e9fdb46
Instruction ID: caecb5b23a19109040f261f28ab7680a2cb3db49184761d28376b1c758102d18
Opcode Fuzzy Hash: 704b7a44ee4e86f8908cc7815b46e0088379d6676f1cefb1f701d9b23e9fdb46
Instruction Fuzzy Hash: 0751B274D01208DFDB19DFA9D594AADBBB2FF88304F20852AE419AB350DB359946CF41

Function 059E5EA0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffc176ba081903944dc1412d62e15d57caa2939a8c2a22a26264ccb164eca4a
Instruction ID: 1fe17e0f30f177787cab89d4b553888c70d50a4224edd0f7e6a11c60c24bbed8
Opcode Fuzzy Hash: 7ffc176ba081903944dc1412d62e15d57caa2939a8c2a22a26264ccb164eca4a
Instruction Fuzzy Hash: 95419C70E19208DFCB01DFA8C445BEEBBF6FB49304F1588AAD845A7361D7799A40CB91

Function 059E7978 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dfa44c4b100365effea5dd6df1139799507aba1051ba2066e12dda4c48ef12
Instruction ID: ca7a3899fbe7577eae47755c5639a94d03b3090250df29090dd8eb08c4714818
Opcode Fuzzy Hash: b7dfa44c4b100365effea5dd6df1139799507aba1051ba2066e12dda4c48ef12
Instruction Fuzzy Hash: 3741C270D01208DFDB19DFB9D594AADBBB2FF88305F24852AE419AB360DB359942CF41

Function 013D1990 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c21e258960cdbafa2a9927348606990d4d48063c2c966f278ad8852b6e191d
Instruction ID: 48674158be26b91717835bf986f2b739fd486df84e1960a5fe60cfd20a72af29
Opcode Fuzzy Hash: c7c21e258960cdbafa2a9927348606990d4d48063c2c966f278ad8852b6e191d
Instruction Fuzzy Hash: 64418B35A05209CFD706DFA8E1847AAB7B3FB81319F1082B9C0068F799D7759986CB81

Function 05BFFDB8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9597437b1353111e80592ff455f752f38c8b8224b618406000004f941bd108
Instruction ID: c5630f4605b9194e703540856219e69b395cc98ea7c6532b46e522ba1c832efa
Opcode Fuzzy Hash: 6c9597437b1353111e80592ff455f752f38c8b8224b618406000004f941bd108
Instruction Fuzzy Hash: 61419135A401189FDF15DFA4D895AEEB7B6FF88310F1080A5D906BB254DB70AD06CBA0

Function 05BFD3D0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ecd3c90477e861a99ce050324b800d5fa55cd87c096776915eae9eab187514
Instruction ID: 89310c22266c96237ec78c723b83f412ce566670fbc74bcb4f37ad6e5da5f34d
Opcode Fuzzy Hash: 83ecd3c90477e861a99ce050324b800d5fa55cd87c096776915eae9eab187514
Instruction Fuzzy Hash: BE31F5366101049FCB05DF59D898EA9BBB2FF48320B1680A9EA099F372C731EC55DB40

Function 013D19A0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95313b29686606ef46f28ae81fe8230213f6818bd62f55ac17cc0c89fa9323f6
Instruction ID: 3983bfddaa1de503058fe3636bba631fb7add574f8b1e4b5e6645b95199911fb
Opcode Fuzzy Hash: 95313b29686606ef46f28ae81fe8230213f6818bd62f55ac17cc0c89fa9323f6
Instruction Fuzzy Hash: 3F416736A05209CFD706DF98E284BABB7A7FB84308F508279C0068F799D7759985CBC1

Function 05BF2398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b802c4137d171668f2d54e84cafc9db5ea5f8a0bb60abd496de75d5a313024
Instruction ID: ce20e611bfac1f8f360283dbb0e3ec486bea3d020495475dffd2524b18a53b70
Opcode Fuzzy Hash: 44b802c4137d171668f2d54e84cafc9db5ea5f8a0bb60abd496de75d5a313024
Instruction Fuzzy Hash: E3417E79A0061A8FDB14CFA5CC55ABEBBB2FF84340F008479D616D7290D774E949CB91

Function 013D6A45 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7076952f5e3162d2f564d6195c23b4514c2e08d81dd636cfeff04d6a20443b1b
Instruction ID: 67c64064ad744805e16104f2436bf5291da6f8632fdf10f84689264dd293a95f
Opcode Fuzzy Hash: 7076952f5e3162d2f564d6195c23b4514c2e08d81dd636cfeff04d6a20443b1b
Instruction Fuzzy Hash: EE31BDB4C092499FEB01EFA9D0597EDBFF0FF06304F5484AAD494A7252D7344A4ACB02

Function 05BF2D50 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57473787b3f77730a327888be2b76e4eee601f4443851991efaade35d9972f1
Instruction ID: 9fae4595f917576f3d9db0060a0d3291603fe06d0d74816492cb696a238268d3
Opcode Fuzzy Hash: e57473787b3f77730a327888be2b76e4eee601f4443851991efaade35d9972f1
Instruction Fuzzy Hash: 6F411278A412288FEB24CB24CC95FA9B7B1FF59320F1041D5EA09AB3A1C631ED85CF50

Function 013D6E6F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cb0bcf86c72f2399f01a77efd664f3f28337e385243ed1c21c535826370033
Instruction ID: 4f96fbbae812ac97f78ebff656916c490107938c6ee2a24c17008854e6ed7d54
Opcode Fuzzy Hash: 82cb0bcf86c72f2399f01a77efd664f3f28337e385243ed1c21c535826370033
Instruction Fuzzy Hash: 013133B0D052498FCB01CFA9D64A6EEBBF5EF89304F1484AAD459E7321EB349949CF11

Function 05BF4A79 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2817e7d7d399f7735cfcf86fed85a1394d003fe481d99bafb8c98c084154e379
Instruction ID: 1248c03ed8d20d63c8747fe41634b14038035491a8f842c27d7ed4b57cb853dd
Opcode Fuzzy Hash: 2817e7d7d399f7735cfcf86fed85a1394d003fe481d99bafb8c98c084154e379
Instruction Fuzzy Hash: 89317E387006018FD724AF25D45466ABBB6FFC5341B1449ADEA468B361DF31E846CF50

Function 05BFB190 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72f71f988adcbb029554986b39657330ae0fb687a669af9527ce48268dd10ac
Instruction ID: 39343520d098fe35d4c83204ac984a0ce3047ebb843711cfd55ac6f5bba9f15f
Opcode Fuzzy Hash: c72f71f988adcbb029554986b39657330ae0fb687a669af9527ce48268dd10ac
Instruction Fuzzy Hash: 492183313052049FC7259BAEE884A6EBBA5FFC5361B15C4BAE24EC7251DA31F845C750

Function 013DFD60 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c313b5541bf461eb9b9d60e90279faedf71653b6bb82e9a3e97f3b8b72e76b95
Instruction ID: 82585555516f4772c6c5c5ab7efa7776e428510f22bebfc188c6ea7d8531ea6b
Opcode Fuzzy Hash: c313b5541bf461eb9b9d60e90279faedf71653b6bb82e9a3e97f3b8b72e76b95
Instruction Fuzzy Hash: 693108B5E04209CBDB04DFA9D4946AEBBFAFB88304F108466D429A7359D7355942CF90

Function 013D6E80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc89113bfbe553a1f9e55ff76d53a44f5f9351bdb732e839acf4dc67e6bf15d1
Instruction ID: c3176decd1be7f82bedc341aa4a11ed37fd49f1db5d3278a539c808f21f104d4
Opcode Fuzzy Hash: cc89113bfbe553a1f9e55ff76d53a44f5f9351bdb732e839acf4dc67e6bf15d1
Instruction Fuzzy Hash: E73105B5D01209CFCB04CFA9D6496AEBBF5FF49304F1484A9D819A7320EB349A48CF51

Function 013D1DA1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84adeb94e2611ae75a41cb6cbc2d4ecde5a9cf9fea9b4fa0d8df9df73ed0e9d
Instruction ID: 391d54723d7b77d60fa7f876e76b24ed4a254e85a48e814496725593d55207b3
Opcode Fuzzy Hash: c84adeb94e2611ae75a41cb6cbc2d4ecde5a9cf9fea9b4fa0d8df9df73ed0e9d
Instruction Fuzzy Hash: 7431C339A00108CFCB44DF98E594AA9B7F2FF88315F2585A5E809AB766C734EC81CF51

Function 059EE9F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d69ccb96513f57fc6fb0ba1182e1e89d681df48a9019775abc0e3cd222a919
Instruction ID: a488c92641a2d586b67916c1eff6ea8035c5be93ca2bee8b49e62ae21f805464
Opcode Fuzzy Hash: 76d69ccb96513f57fc6fb0ba1182e1e89d681df48a9019775abc0e3cd222a919
Instruction Fuzzy Hash: D531D4B4D05208DFDB05CFAAC9456EEBBFABB88300F14946AD419B7350E7389A45CF64

Function 05BF3CC8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545673a2991cfd7475afa0b82ab812bc9d425a3a5c9a2aa66e309691c1703c09
Instruction ID: a413908b1e3ab8518556516339e5a18b00319cb9c08251cf925bd8563323b6e9
Opcode Fuzzy Hash: 545673a2991cfd7475afa0b82ab812bc9d425a3a5c9a2aa66e309691c1703c09
Instruction Fuzzy Hash: 9721A239B001198B8B10CEB9E8864BEF7F6FF8426171148B6D616D7340DB31EC19CB61

Function 05BF4820 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4ca7646fa449badabeb3b34fb48d5bceeb6a2af8d3d058edb95a0084ba4442
Instruction ID: 0532d148ca8ccc4e285535b3ce71cbbca8282b398a9b2a8d961d447c68eefd2f
Opcode Fuzzy Hash: 4c4ca7646fa449badabeb3b34fb48d5bceeb6a2af8d3d058edb95a0084ba4442
Instruction Fuzzy Hash: 91212731E002599FDF00DAB4E544BBBBBF5AB44244F1080A6D61AD7290E734EA59CB91

Function 013D6A88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bea5fb4ede134182eba58283959aa28fe0cc40afebd92821e066a3fd4637e61
Instruction ID: c1f84ea04d565c2ff44e79ada13814bfe9fb71e399dc855266b3d3691ffdb044
Opcode Fuzzy Hash: 3bea5fb4ede134182eba58283959aa28fe0cc40afebd92821e066a3fd4637e61
Instruction Fuzzy Hash: 59317AF4D04208DFEB00EFA9D0497AEBBF5FB45308F50819AE499A7340D7744A89CB02

Function 0109D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862401086.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38dcf8265e9f08520ddf105c43dac2ad2d12b1991a7de5617f84e546b0cc8b93
Instruction ID: 71377969fb4a8190397ea18ba640ec047023f60ad6d1973f9b75e0fe3f148965
Opcode Fuzzy Hash: 38dcf8265e9f08520ddf105c43dac2ad2d12b1991a7de5617f84e546b0cc8b93
Instruction Fuzzy Hash: B82145B1544240DFCF11DF58D9D4B2ABFA5FBC4354F24C5A9E9890B242C336C406D7A2

Function 05BF0F69 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a59668ea93ead1067e7c4ba3e18c9dab028fbbc4758bd6755d66a072f390cb
Instruction ID: ac9ac87191b4fbee7a69519cd2ae0b677b0fe8859b9124a1f0ded1531db99b60
Opcode Fuzzy Hash: 90a59668ea93ead1067e7c4ba3e18c9dab028fbbc4758bd6755d66a072f390cb
Instruction Fuzzy Hash: E5214C35E00109EFCB14DF69C854ADEBBB6EF8D320F15852AE911B7390CA719845CBA0

Function 05BF8A30 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0f4adfceba92f1fa9db50fa390b2625e630c524bd98c1d27577e5580dbfbaf
Instruction ID: 5675491fb8a9b14e867de5d93c10162debbd0001a2612414894e270f2a199818
Opcode Fuzzy Hash: aa0f4adfceba92f1fa9db50fa390b2625e630c524bd98c1d27577e5580dbfbaf
Instruction Fuzzy Hash: D5211575A002098FDB05DF98D985ADEB7F2FF88300F2045A5E505BB3A1CB76AD45CBA0

Function 059E8130 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92381cd313e250b360215e7d665191f9b0f26a61a49b4cef37379000deab7d23
Instruction ID: 41b3688edcd886b3898558d8a34a47b1a576593ab8c5f7869304a806208796da
Opcode Fuzzy Hash: 92381cd313e250b360215e7d665191f9b0f26a61a49b4cef37379000deab7d23
Instruction Fuzzy Hash: CA211BB4E0420ADFCB15DFE9C9846BEBBB6FB48300F14856AC815A7354D7349A81CF91

Function 05BF04F1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5feba4afdc42dd38f359bc08ae6bf81ec1b95cc0d99711282a8f01107dea300b
Instruction ID: 5c1f21b1256af3a4ab802a800d933afb689ec106ea52d4c350ba30580f68faf2
Opcode Fuzzy Hash: 5feba4afdc42dd38f359bc08ae6bf81ec1b95cc0d99711282a8f01107dea300b
Instruction Fuzzy Hash: 6321F970A002065FCB24EB38D4557AEBBB6EFC5300F10493AE44ADB645DEB4995A8BA0

Function 05BF9B20 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba1a2a037a6ba1b02802accf2e2238cc6427a3ccfad662e0f96237ae599534c
Instruction ID: b3db859e8a89bdae2549d01c704b47ce1936b0e641825f6a909258da8435494a
Opcode Fuzzy Hash: eba1a2a037a6ba1b02802accf2e2238cc6427a3ccfad662e0f96237ae599534c
Instruction Fuzzy Hash: 97219D70900516EFCB04DF58C8C4AAAFBB6FF84340F51C5A9EA059B606D331F899CB94

Function 05BFFEFA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d4af3bab98c1e8c3a36d418fbec8905830aadf04702a9c3b506c65032f09e5
Instruction ID: 5af11f5888751a2f35167b46d0869765c1ad6615944fffc748c399c18f4be914
Opcode Fuzzy Hash: 46d4af3bab98c1e8c3a36d418fbec8905830aadf04702a9c3b506c65032f09e5
Instruction Fuzzy Hash: C211B4357002049FC7159A64D454B7F77A3FBC9320F1485A8D6465B790CB71EC469B90

Function 05BFF6D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fa942707b1c6d9ec2a4a0f85a92ba697a5868d2d0bdefa2204438baf55c231
Instruction ID: e9d2b2ca0f87d8a41db0c772976a5045c074be06c8927df2bb06c889f25543d6
Opcode Fuzzy Hash: 88fa942707b1c6d9ec2a4a0f85a92ba697a5868d2d0bdefa2204438baf55c231
Instruction Fuzzy Hash: 1C21B135B106048FCB14EF68D984AAEB7F6FF88710F144569E506A73A4DB30ED08CB61

Function 013DC390 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9559208f61500edb94a055a24b053966e63c02a921e33fe8d45111f9d13365
Instruction ID: ea1e25a78c277ebdb6c61a998c7a01cc2157824c48da93ffe6af29cb7a5ff2a2
Opcode Fuzzy Hash: 5e9559208f61500edb94a055a24b053966e63c02a921e33fe8d45111f9d13365
Instruction Fuzzy Hash: E8113771D1421DCBCF15CF99E5446EEBBF9FB88314F04A42AD504B3210DB781A45CBA0

Function 05BFAD40 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011b4c2cf9624c72a7d3a6dd9b888f892902a487801735f8e19a531297d75b96
Instruction ID: ffaf2742ea4f75c7ab2b75272ebf129d088be2c737201d6220768f3fbdd3f707
Opcode Fuzzy Hash: 011b4c2cf9624c72a7d3a6dd9b888f892902a487801735f8e19a531297d75b96
Instruction Fuzzy Hash: A10184353101005B8B14AE2DE4D596AB7ABEFD8621314807FE60ACB355CF71DC498B90

Function 0109D017 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862401086.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_109d000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4debc72d566a432075444213d0986bb668aee8537d1fa8b58e63e6cf4e4d047
Instruction ID: 9ce346339c29d8350e0a1055692f4dd68ff6376502404c7767a9ebae6e8b6af1
Opcode Fuzzy Hash: d4debc72d566a432075444213d0986bb668aee8537d1fa8b58e63e6cf4e4d047
Instruction Fuzzy Hash: 99110076444280CFCF12CF58D5D4B16BFB2FB84314F24C6AAE8490B656C33AD41ADBA2

Function 05BF1920 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a41582644321717649bb33cc742511f7dce3d872762e0b42663f2d502824b0
Instruction ID: 3ca5c1a2b6f55408757f27b95cb70520fa76f19838cfe2f7278bbcf103299d8f
Opcode Fuzzy Hash: 69a41582644321717649bb33cc742511f7dce3d872762e0b42663f2d502824b0
Instruction Fuzzy Hash: 4111A031B002059FDB64DF6CC8057AEBBF6EF88640F15846AE615DB380EA30D906CBA1

Function 059E8120 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf8e28cb946783d1d60d854e7a7046a26c23e8a1a77fd1b995ec82f04377a2b
Instruction ID: 054b0a5a1f1797151147ca4e9dfee00c05808ba63cf40b518bf015f614bb248b
Opcode Fuzzy Hash: ebf8e28cb946783d1d60d854e7a7046a26c23e8a1a77fd1b995ec82f04377a2b
Instruction Fuzzy Hash: D91127B4E082099FCB56DFE9CA412AEBBFAFB45300F1485AAC449E3301E7354A41DB81

Function 05BF1568 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4db85276b0d9e2641300e42e308c298cfc0ea9351d282ee6cb1dd7b56b7e067
Instruction ID: bd7dbdd59db8db420de394af165f388843cc81ee8b7562cdc02fe8e377c22477
Opcode Fuzzy Hash: c4db85276b0d9e2641300e42e308c298cfc0ea9351d282ee6cb1dd7b56b7e067
Instruction Fuzzy Hash: C4018436340214AFDB108E59DC84FAEB7A9FF89721F118066FA05CB290C6B1D8148750

Function 013D18EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7222a54472588b7a38a111e1867e245b2afc24ef4c4127f53b6396198cef4d41
Instruction ID: 711c0a2ff465964a6398b007047f83730917af82a61e266c4e65172da92cdb9d
Opcode Fuzzy Hash: 7222a54472588b7a38a111e1867e245b2afc24ef4c4127f53b6396198cef4d41
Instruction Fuzzy Hash: 41014C367091058FD70A977AB81867AB7A7FBC9314F58807AD145CF259CA740D46C781

Function 059E844D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11292355b0f9b323a32d24575c8e638b89923d4d333eeeb7fd302fbec3127f68
Instruction ID: 29373276fab26b2f33c94edcb12fb80fc65eae9f912bed371ee829cc124f9323
Opcode Fuzzy Hash: 11292355b0f9b323a32d24575c8e638b89923d4d333eeeb7fd302fbec3127f68
Instruction Fuzzy Hash: 4021A274A112288FCBA1DF28C955BD9B7F1AF49301F5041EA994EA7350DB309E85CF41

Function 05E7E1E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1250c7500351e344905cc67eca9867bd4469bbb3819387d6e931d3c87d08ae
Instruction ID: 8af2c0a56d7c356ae814a260caeb324cb41b0d9526c6f86e1c310a7979bf1a37
Opcode Fuzzy Hash: 1c1250c7500351e344905cc67eca9867bd4469bbb3819387d6e931d3c87d08ae
Instruction Fuzzy Hash: 6911B7B4E0020A9FCB44EFA9C9556AEFBF1BF88300F10856A9558A7354DB349A418B95

Function 05BFFF08 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d3c8d6a161507ad243cd76581eeb17d52979ff80203373f3be6e86e295b243
Instruction ID: e96af77092a189e1e99f2b59f105832de3cc479261f49f8b4f3a357d541e9ebc
Opcode Fuzzy Hash: d6d3c8d6a161507ad243cd76581eeb17d52979ff80203373f3be6e86e295b243
Instruction Fuzzy Hash: A4017131301644AFC7299B64D458A3B77A3EBCA320F1486A8E6564B794CB75FC46DB80

Function 05BFCF78 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba602b03780b73a47e708606fe462272e6dba3322771ee8a6d3f974b5f584f05
Instruction ID: 616f9350a9fa000a48d76b266c1e44c2d2e3dc249e9e85bb66a55576faf66347
Opcode Fuzzy Hash: ba602b03780b73a47e708606fe462272e6dba3322771ee8a6d3f974b5f584f05
Instruction Fuzzy Hash: FFF068712006069BCB10DF19DC82F8BF7AAEFC0314F20CA2BB91787751DA74E9558690

Function 05BFDE01 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b941910727d2b099ebd6e87a12727cadcf76d9d9d4e14f4275af1484fa5209c
Instruction ID: 75b1357f155956d318f478d5eeddb62f4572e389a11304b159d8e565ec2b8636
Opcode Fuzzy Hash: 2b941910727d2b099ebd6e87a12727cadcf76d9d9d4e14f4275af1484fa5209c
Instruction Fuzzy Hash: 21018F793009159FC7199B28D459A1ABBB2FBC8711B10846AE90A8B794DF71EC42CF85

Function 05BFA3E0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ea81ae30e9509d182bc7fd3102f02afef76ab5978c41d08894f29b4e65f1b9
Instruction ID: cbb73eb93fe68a537d4b1e2265ea731c34edf22c17aca2a61dab5386694857ab
Opcode Fuzzy Hash: 68ea81ae30e9509d182bc7fd3102f02afef76ab5978c41d08894f29b4e65f1b9
Instruction Fuzzy Hash: 21F02B367001086BCB189A19D8889AEF3AAEF84220F448165FD19D7361EF30AD1B8791

Function 05BF0999 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba061dd648ca556db43a14b687db055a15797c6ceb5867a37a536ac8778860a
Instruction ID: 6d664ae172e4e2e69a740b9ea993adbfde8b63d5bc1e353827068883b227f217
Opcode Fuzzy Hash: aba061dd648ca556db43a14b687db055a15797c6ceb5867a37a536ac8778860a
Instruction Fuzzy Hash: BFF04632F092151FE3049658D81572BBBA5EBCA310F1484A6E50A9B392DA71AC058790

Function 05BFDE10 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb14ff36088c33600318a8365f177aa77d8fefd70888f95d54dfe48440c7c8d5
Instruction ID: 733af99c4d8703d50627b43be0e1f93fff2424249b4ad9ee374474b8560c1f91
Opcode Fuzzy Hash: fb14ff36088c33600318a8365f177aa77d8fefd70888f95d54dfe48440c7c8d5
Instruction Fuzzy Hash: 730181393005149FC7099B28D058A1ABBA2FBCC711B108569E90A8B794DF71EC42CFC5

Function 059E80CF Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9784702b065c6c03757e7096f8124a642cc31d11c1a846d1b445b5c0f128caf7
Instruction ID: adbb3362aec4f9e7103d606536cc5a09188ba8d97f48bfb2d63a6e9a626eae70
Opcode Fuzzy Hash: 9784702b065c6c03757e7096f8124a642cc31d11c1a846d1b445b5c0f128caf7
Instruction Fuzzy Hash: 0BF0F9B5E09208EFCB52EFA8D9456ADBBF9FB49301F1080E5D80997351D7369A00DB85

Function 059E7BCA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35435ab62507d7a95af0e6d5e428e08ef7bd0ed94fe97e85597ca6d607bf8744
Instruction ID: d0a62223164648c13884373ceeda7100de8c38b3fa01e3be8e5e5c77fe64830d
Opcode Fuzzy Hash: 35435ab62507d7a95af0e6d5e428e08ef7bd0ed94fe97e85597ca6d607bf8744
Instruction Fuzzy Hash: B701F6B0D05209DFCB45EFB8D9453AEBBF8FB08205F1445AAD409E3380E7344A80DB92

Function 05BFDB88 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2f796332d0d9407c6df409e611fb2f392d06cb793f0efa51f7d46763d8aee9
Instruction ID: 63a270f7831ccbb846b30551a21110805ebfee4fe0155d115e612f01cb6b586b
Opcode Fuzzy Hash: ec2f796332d0d9407c6df409e611fb2f392d06cb793f0efa51f7d46763d8aee9
Instruction Fuzzy Hash: 51F04F353102009FD7089F19D446F6A77A6EB89721F244469F506CB761CA31EC829B40

Function 05BF0A00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d83858d71484c15c842fa858b91cd3472e7a6b4a9f13464bf8d85f57837721
Instruction ID: bee45cd34d4708d2fdddc3f63d46f6d08bdedade3e4d6238e7a3a2ec2c27a1c6
Opcode Fuzzy Hash: e4d83858d71484c15c842fa858b91cd3472e7a6b4a9f13464bf8d85f57837721
Instruction Fuzzy Hash: 1AF02B62F0E3554FF312523C1815325BFA2DBD6200F1984DBC6878F2B3E956AC0AC350

Function 013D1B40 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb179fa2858aa66a9c893ce921f2c99373d7a1a0767e4601a3852bb42ee0a17b
Instruction ID: 3fb1c592e60f9100f18e0dcb38bffbde850d13d5574cd8600a4ecfc72d073532
Opcode Fuzzy Hash: bb179fa2858aa66a9c893ce921f2c99373d7a1a0767e4601a3852bb42ee0a17b
Instruction Fuzzy Hash: 1501A476911229CFC711DFA8E5192BABBF9FF04B14F1441ABD8459B615E3711A00CBC0

Function 05BF09A8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e1df36bab08f0cd630ea00a3610efda2e91d99471988c894f5937c1d01a7b3
Instruction ID: 787ac995c712fbd96da43dd24c98739179819d2b406239f3e1e35c74538e322f
Opcode Fuzzy Hash: 37e1df36bab08f0cd630ea00a3610efda2e91d99471988c894f5937c1d01a7b3
Instruction Fuzzy Hash: C1F05931F042161FE314960C981472FF7AAFBC8310F148469E50B9B351DB71BC4183C0

Function 059E71F9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e116009bf53e2efef452a207a19ac039916771772ab16094061f35e5e907dc
Instruction ID: 1cbd52fb0bd9a722600a3854a24b424a709deca0d3c9df91b82217b951ca69e6
Opcode Fuzzy Hash: 31e116009bf53e2efef452a207a19ac039916771772ab16094061f35e5e907dc
Instruction Fuzzy Hash: 56012C74D0D288DFDB09CFECE5887A8BBB1FB01314F1844BAD41AAA256D7365955DF00

Function 05BF1521 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e668af9905864e0add0c9436f9b7dadba740a8cb4c81461c6530a9a1dbbdf654
Instruction ID: af1937b1d7d7593e39101a870b335f28756883db0563ff796e42c399dd65c9a0
Opcode Fuzzy Hash: e668af9905864e0add0c9436f9b7dadba740a8cb4c81461c6530a9a1dbbdf654
Instruction Fuzzy Hash: 96F08236340241CFD704CF2ED884F59B3A5FF9A626B55C5AAE616CB321CB71D809CB50

Function 05BF4C79 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd01d777bf0208cc7187fbbf9dd4b224c7b31b2177d8901e01df8b34465ad2c6
Instruction ID: 5d0cfda646ec1f20079822ca44ebff6216426cf5c4e7864fb77e659027f61018
Opcode Fuzzy Hash: dd01d777bf0208cc7187fbbf9dd4b224c7b31b2177d8901e01df8b34465ad2c6
Instruction Fuzzy Hash: E8F0BE323053445ADF609775DA467A63390EB06264F2515DAC7128A681EA22B84BC710

Function 05BF1561 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d57e0454c40d55291c5d25c4d6ec79506c0f57b42438c8649f289de4a5127b
Instruction ID: 7c32eafb5989aa7c0d7208cd251267f6fecb1136fc9f8d3c9dd4d2844ec5e238
Opcode Fuzzy Hash: 71d57e0454c40d55291c5d25c4d6ec79506c0f57b42438c8649f289de4a5127b
Instruction Fuzzy Hash: 5BF01C363406159F8704DF6ED884D5BB7A9FF8A66131184AAFA06CB321CA71E818CB90

Function 05BFFA78 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69df9e922f54fe513f7dde047b63e4a9df04e3f773de82b66d30316110fab1a
Instruction ID: 116b78a54ebd0ad74372a6747be3e9e90674cf1dd1dd4f4c2ec1ea04127a6a3a
Opcode Fuzzy Hash: a69df9e922f54fe513f7dde047b63e4a9df04e3f773de82b66d30316110fab1a
Instruction Fuzzy Hash: 31F0AF7B250114AFCB469F94E905E507BB6FB1C22171680D1F2098B232C332D821AB90

Function 059E3820 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9757159840346e3c413a4a7e7271c4bc5b6705a362eafbfff5b1556181ba228f
Instruction ID: 207c039c2ac626ce06e2a81728b6816925e6ca8c2a730fad20e7068fbbe767ff
Opcode Fuzzy Hash: 9757159840346e3c413a4a7e7271c4bc5b6705a362eafbfff5b1556181ba228f
Instruction Fuzzy Hash: 7CF09670909248EFCB41DFA8C851AADBFF4BF49301F04C0EAE958D7342D6399A11DB50

Function 05BF9C3F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dcdd4f34a8c4b2367d8da503a41e6945e1b1eb07e09ae14e1a3180db9e506f
Instruction ID: 0bd2b6837bb59add1b4048268157baf904075113fb30f8442e2d50bef904634b
Opcode Fuzzy Hash: f3dcdd4f34a8c4b2367d8da503a41e6945e1b1eb07e09ae14e1a3180db9e506f
Instruction Fuzzy Hash: FEE06C712002065BC710DA1EDC85A4BFF5BEFD0324B24C936B406C7715CD74D9474A90

Function 05BF2C51 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fef186b1bb76e63e1ec94d913d2669050ea4c6ec64c5f5d93159435e89765d6
Instruction ID: 35b087eaaa94110db4e61cd0c0f1ebbf414f7fd8d6b2a78eb92cb99d0cde322e
Opcode Fuzzy Hash: 1fef186b1bb76e63e1ec94d913d2669050ea4c6ec64c5f5d93159435e89765d6
Instruction Fuzzy Hash: F0F0E231904618AFEB05CB95D44D3CDBFB6EB85224F14C495D106D7340DB301686CB84

Function 05BFDB98 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d679b65737fd95aab87736d20a7a6806a67cb6973c13fed6460876dbf569c7
Instruction ID: bac8f7681e08f061a90a054386db8bd921c45215596c1415a83c29deb5af641f
Opcode Fuzzy Hash: 23d679b65737fd95aab87736d20a7a6806a67cb6973c13fed6460876dbf569c7
Instruction Fuzzy Hash: CEF03A393102009FC3089F1DD454D2A77AAEFC9721B1044AAFA06CB360CE31EC82CB90

Function 05BF041D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711e9598650882a1c221f4880d75e72c12aa4cdc45eb5636bcdb78931b7cabd5
Instruction ID: 84e03726e02f702064e00507218f7913f0ea0821e2e43b6e3a08fecac2eab7e9
Opcode Fuzzy Hash: 711e9598650882a1c221f4880d75e72c12aa4cdc45eb5636bcdb78931b7cabd5
Instruction Fuzzy Hash: F2F0E27190B3896FC702DB78D9127CA7FB1DB43244F2541E6D588CB383D42A9A0A8351

Function 05BF9BF0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a2091b7235a9cb2387b6d5f03bdf22691f867fa48db4ad44cc0c78c9396201
Instruction ID: 1e4bea67b4f833b36c82891cd79a6a882e2bb7e10da85d0b5b32168b610dbeb2
Opcode Fuzzy Hash: 70a2091b7235a9cb2387b6d5f03bdf22691f867fa48db4ad44cc0c78c9396201
Instruction Fuzzy Hash: FFE0206530952247DB39092DAC46B66E9E5EBC5B24F50027FF946CB304D800CC874FF5

Function 05E68585 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c818efed1275c10ebbf618396816d5aba3b79f9ba9a1ec180984d9d44a45ba
Instruction ID: 61a4f78c556c9523948619b1161ae62d37539ef3755010b0f646421ebf99a90a
Opcode Fuzzy Hash: 89c818efed1275c10ebbf618396816d5aba3b79f9ba9a1ec180984d9d44a45ba
Instruction Fuzzy Hash: 1401C8B8E442288FDB64DF28CC94ADAB7B1FB49701F4081D9DC49A7344EA349E85CF00

Function 059E6049 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f452c60c303e12e7f0642344733969db43fd0c13496d6c6c6f9b6b2580f8c27
Instruction ID: 33ea080aeacb33b0e75c8f422195862f6d0ccf30eeb25a0643c98301f5030682
Opcode Fuzzy Hash: 7f452c60c303e12e7f0642344733969db43fd0c13496d6c6c6f9b6b2580f8c27
Instruction Fuzzy Hash: 30F0E570805208BFC712DFA9D8517ACBFB9FB44320F14C0AAEC4493740D7399A11DB44

Function 059E5E58 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8490115613f519e584d933cbb1213911a3ba06546fd28612ed080a8d723dabf
Instruction ID: 7f14d07fad4c1d0d5194562e1c67b8c69b2e09ab86a88688e4181cc10c699d0f
Opcode Fuzzy Hash: b8490115613f519e584d933cbb1213911a3ba06546fd28612ed080a8d723dabf
Instruction Fuzzy Hash: 12F06D70A05208AFC751DFA8D88AB9CBBB4FB44309F1440EAE844D7B50E2359901CB41

Function 059E3830 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96de2e0df4f7ce008269290593d016820cd084a83aa270515120223a92e80a27
Instruction ID: e58ef55d722466c88b3c9e3a89ca459f62dee6d9f906316c6c99fdb27fd24ef7
Opcode Fuzzy Hash: 96de2e0df4f7ce008269290593d016820cd084a83aa270515120223a92e80a27
Instruction Fuzzy Hash: 59F01C74D04248EFCB85DFA9C940AADBBF8BB48311F14C4AEE898D3341D6399A11DF50

Function 013D086B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585814b50cece7b4614e354d75133937be10872744a7b88ca9cf5fe5752d717b
Instruction ID: d87b27143660da6d2dd42e1bfddbf88298d475cbe5f8babc7925655dee94d752
Opcode Fuzzy Hash: 585814b50cece7b4614e354d75133937be10872744a7b88ca9cf5fe5752d717b
Instruction Fuzzy Hash: 25F0C93114D3D25FC7176BB4A9380983FF5AE4766430900EBD485CE1A2E65E0D4687A6

Function 059E5DC8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb98b0f66843d2b60ded1efc9715c15aec50e7b9afaaacc230e9da87eee14616
Instruction ID: f8dd604016eae6b3d54440082c13ec640cf6468ed1dbb0cd697b2b128355e889
Opcode Fuzzy Hash: cb98b0f66843d2b60ded1efc9715c15aec50e7b9afaaacc230e9da87eee14616
Instruction Fuzzy Hash: CBE09270905208EFC741DFA8C989B9C7FF5FB04215F1080A5E804D7750E234DA80CB50

Function 05BF2C60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894a5271f8d8489d0bfa588bc4366574bad628baed7bb62db526b96ade3e25ed
Instruction ID: 343217ca7c30a6a616c280a92030baca3a81342223a91da6c5063f3e8e3f5eab
Opcode Fuzzy Hash: 894a5271f8d8489d0bfa588bc4366574bad628baed7bb62db526b96ade3e25ed
Instruction Fuzzy Hash: F7F0ED31E04218AFEB09CF98D44C6CDFFB6EB88224F04C4A9E00693280DB701A84CBC4

Function 059E5EB0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a3ce5f9b53b31dbeff7cac0f61939ba27eb65412036dc5598c708ee4989310
Instruction ID: bfcad61387e76221807a673b7921ccae63424653921c4eabf746f18362b214af
Opcode Fuzzy Hash: 12a3ce5f9b53b31dbeff7cac0f61939ba27eb65412036dc5598c708ee4989310
Instruction Fuzzy Hash: EEF03974E08308AFCB55EFA8D4496ACBBF4FB44200F0085EAD899A7390E6389E00DF41

Function 05BF9C50 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6571eec3332c6a09eb32ac39aaacf6be5aa6ea286a1565cb3aca4e7e051541c
Instruction ID: 34b2d1ff6e3cdff623ffe136bc29f1399d4e6b3c7a5b5bf4a3e2792f3cafccb6
Opcode Fuzzy Hash: a6571eec3332c6a09eb32ac39aaacf6be5aa6ea286a1565cb3aca4e7e051541c
Instruction Fuzzy Hash: 17E01A722002065BC710DA1EE88584BFB9AEFD0264724CE3AB50A87625DE74ED968A90

Function 013DC188 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3037b17a108cef728fbcf1ae41dd50f9b59422b916c0d413a669be9720ce51dd
Instruction ID: 6cb64ab708fd315d7287f1fe3b851ba6a6eb40c64963b9cda64733b25a56a67b
Opcode Fuzzy Hash: 3037b17a108cef728fbcf1ae41dd50f9b59422b916c0d413a669be9720ce51dd
Instruction Fuzzy Hash: 23F01534D04208EFCB40DFA8D940A9CBBB4FB48314F10C0AAE84893350D6369A12DF80

Function 013D1B90 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d823c81b0676f75909e4d17846523b74f50eef346088313f850448c0459159
Instruction ID: 9921bb45e7a8196fb9595dd4e43c5a0b745d35d7982c705051b6b8a8bc49ee88
Opcode Fuzzy Hash: a5d823c81b0676f75909e4d17846523b74f50eef346088313f850448c0459159
Instruction Fuzzy Hash: 06F06D7E601219CFC722EB98FA59BB8B3A6FB40719F4401A6D8098F619E3741940DB80

Function 059E5E10 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2767c3407d12f87b9d6cd3e076b63a85863975ec6363757c830fbc4259193b6
Instruction ID: ac199367892de4004540ab3e6f4497513181848d7686578a614e7f5eb6c9eb42
Opcode Fuzzy Hash: f2767c3407d12f87b9d6cd3e076b63a85863975ec6363757c830fbc4259193b6
Instruction Fuzzy Hash: 1AE04FB0806208BFCB55EBB8D94A39CBFB5EB04711F1044A9D949E2755E6388A51E741

Function 059E1249 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549a56d6e503e8a8bc70475a8a7605249978e94a512e99c4ac06fe20ce7cc1cd
Instruction ID: 0c7de7a8a388b59ec5eb901b7fe4c7e53dbcc6bfa37a3d78ae2b95dd2a156857
Opcode Fuzzy Hash: 549a56d6e503e8a8bc70475a8a7605249978e94a512e99c4ac06fe20ce7cc1cd
Instruction Fuzzy Hash: D8E09275804208EBCB00DF94D9857ADBB74FB56311F1480A9DC4467355D6319A12EB48

Function 05E753C8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94363801b9f7208185527e007fa12b6a136c1149190e0654135adc684bb4889
Instruction ID: 4d8543707ff09cd2a3d62f033865243b7e6a390a08128dad08daf2d0094213c2
Opcode Fuzzy Hash: f94363801b9f7208185527e007fa12b6a136c1149190e0654135adc684bb4889
Instruction Fuzzy Hash: 1FE03974D04208EFCB40DFA8D584A9CBBF4FB48301F10C0AA984893350D6359A01DF44

Function 05E7AEC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94363801b9f7208185527e007fa12b6a136c1149190e0654135adc684bb4889
Instruction ID: 0855aaf4fb89d8928439f40cb7beaa5d8f9727f64977a4f79325aacecb200ca4
Opcode Fuzzy Hash: f94363801b9f7208185527e007fa12b6a136c1149190e0654135adc684bb4889
Instruction Fuzzy Hash: E5E0C974D09208EFCB44DFA9D544AADBBF5FB48311F10C0AA984993350D6359A51DF45

Function 05E79680 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94363801b9f7208185527e007fa12b6a136c1149190e0654135adc684bb4889
Instruction ID: a7713b88a65cd97c0a74e372c2f00ee677a5a874c3fead59298fa7219dcf4803
Opcode Fuzzy Hash: f94363801b9f7208185527e007fa12b6a136c1149190e0654135adc684bb4889
Instruction Fuzzy Hash: 51E03974D04208EFCB40DFA8C54069CBBF5FB48310F10C1AA9858E7341D6369A01DF49

Function 05BF0481 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb31827acdd3e5d0b2142cf7a7b0fa44a5aee78936edda73a0f72fa87729a9b9
Instruction ID: e5f174d288fab42d28f8a5587093d2175c7686241f18f21b174de2fa10bb2175
Opcode Fuzzy Hash: cb31827acdd3e5d0b2142cf7a7b0fa44a5aee78936edda73a0f72fa87729a9b9
Instruction Fuzzy Hash: D4E04F30A4520CEFCB04EFB4DD227AE7BAAEB46241F2085A8E908AB241D9755F05DB51

Function 05BF4C88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a882750bf4161ab0eb4bf36d6677ed3a42e14ddbc98a48feef85d784d32496
Instruction ID: 926c2c5784688d6f950fa6c8da70d37577390b4359358d86d72c195552887d30
Opcode Fuzzy Hash: 49a882750bf4161ab0eb4bf36d6677ed3a42e14ddbc98a48feef85d784d32496
Instruction Fuzzy Hash: 86E0C2313463059BCF20E6F5980AB6332DAAB49714F2108EAE7059F3C0DAB2FC86C751

Function 059EE920 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57666e9c2a922e467b17ca5d48e0ffefb9ae641652301427170cc1afeebcb54b
Instruction ID: 859953c0e3ff8ed0ec238830d01707c469a4753f2dcb51e8fa04c90cde0a500c
Opcode Fuzzy Hash: 57666e9c2a922e467b17ca5d48e0ffefb9ae641652301427170cc1afeebcb54b
Instruction Fuzzy Hash: 45E0E570D09208EFCB95EFA8D54469DBBF9FB48300F1080AAD848A2350D6355A51DF85

Function 059E1FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614c22d60794af6f3a29d17e6e3e104d186821fb72ff52a5814e4c652e72704d
Instruction ID: cd89d0c7874c0ded738c26525a2212fa7e2dfeb9f998c92ef31d7a1ae6e89de6
Opcode Fuzzy Hash: 614c22d60794af6f3a29d17e6e3e104d186821fb72ff52a5814e4c652e72704d
Instruction Fuzzy Hash: 62F0AF78E012288FCB60DF64C888BDEBBB6FB49310F14A9E6C009B7210DB305AC08F11

Function 05E7F9E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ca77dd6bdbfbb9a04e8d41181604f0f2a8db9bb8670a23a695e4adedfd654f
Instruction ID: 8b4e2c3265ac87832bb34c3e42b56f972a418c24f8a1d6ae28b7f98d4d8e4351
Opcode Fuzzy Hash: 53ca77dd6bdbfbb9a04e8d41181604f0f2a8db9bb8670a23a695e4adedfd654f
Instruction Fuzzy Hash: 82E0E574E05208EFCB84DFA8D5456ACBBF4FB48304F14C1AAD8A893340E6359A41CF45

Function 05E78D38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ca77dd6bdbfbb9a04e8d41181604f0f2a8db9bb8670a23a695e4adedfd654f
Instruction ID: 963f7bf8cd7f08280f413a4ce7985c7cdaef9f629b9d4974f76af2e3870d0c2f
Opcode Fuzzy Hash: 53ca77dd6bdbfbb9a04e8d41181604f0f2a8db9bb8670a23a695e4adedfd654f
Instruction Fuzzy Hash: 7EE0E574E09208EFCB44DFA9D5446ACBBF8FB48304F10C4AAD85893350D6359A02DF45

Function 05E7DD08 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bde1dd0b830fa0ed6ca6457e9c87a3e53ea4de44249f902e6e1a6fd6153194b
Instruction ID: 7850c10a735703f5c38da8a96e387a0cba9b86c20d581f6e207eca5e1e6f255e
Opcode Fuzzy Hash: 9bde1dd0b830fa0ed6ca6457e9c87a3e53ea4de44249f902e6e1a6fd6153194b
Instruction Fuzzy Hash: 08E0DFB0D0930CDBDB00EFB8DA047AC7BB4FB09201F1001A9D8CCA3340EA345A00C705

Function 013D6F90 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebf0943d81907379d77693ed3e9e8297998d3b0b46bc7c15b581df113732f0a
Instruction ID: e73d0bc34d7ddf4943d12ab4b56165a9ccd2d70c54459005cf59b522577be9f7
Opcode Fuzzy Hash: 2ebf0943d81907379d77693ed3e9e8297998d3b0b46bc7c15b581df113732f0a
Instruction Fuzzy Hash: 19D0177004E3D08EC753137C69AB2F8BFB89F47215F4858EAD8C586972895A042FD756

Function 013D1BD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843b3e3dc5ebd9da950da5395f940614270d71af3c33d4391f3ace64ce1247e3
Instruction ID: 39e272b0f1a9cce9d6cd308fd97bcadcfaa6fe0bda6582b2d615548d4bd1f6d4
Opcode Fuzzy Hash: 843b3e3dc5ebd9da950da5395f940614270d71af3c33d4391f3ace64ce1247e3
Instruction Fuzzy Hash: 38E01A38205745DFC78ADB78D4A09197BF2BF8A62032585EAE449CB339D636A812CB11

Function 059E6058 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c269e7c7e2f68d34e1176ac37b073573da3d769dd7f4402a64949d8e65e06f
Instruction ID: fb20a35b0e7649ac8805ea612e2b6d861f80ae0ac5b5988b152e787a3082198f
Opcode Fuzzy Hash: 39c269e7c7e2f68d34e1176ac37b073573da3d769dd7f4402a64949d8e65e06f
Instruction Fuzzy Hash: A6E09A34C08208EFCB02EFA9D5445ACFBB8FB48301F10C0AADC8453341C736AA01DB84

Function 059EB74E Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cc48c032a7f4a40b68556352ed424dca664b98df19b128282f9dbaf5021c92
Instruction ID: aee20be6f47d2081ff29fd8f6cca4416a39d52147c78f988f83ca8eb4cbed414
Opcode Fuzzy Hash: 96cc48c032a7f4a40b68556352ed424dca664b98df19b128282f9dbaf5021c92
Instruction Fuzzy Hash: A2F0D470A04369DFDB61DF14D888B9EBBB5FB0A341F1056D5D449A2250DB345ED88F02

Function 059EE620 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508527866cf79bb49f201dbe80c704092246503ba409b5d1f38bd54e4e544055
Instruction ID: f381dcfd7e50d56e3b2f09c5e39a849a01025fca0fa3ce8584bc1937d9c5fcf5
Opcode Fuzzy Hash: 508527866cf79bb49f201dbe80c704092246503ba409b5d1f38bd54e4e544055
Instruction Fuzzy Hash: DEE01270E09308EFCB55EFA8D5442ACBBB9BB49300F1084AAD888A3380DA395A40DF45

Function 05E7EF58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408ecf65105548c2ea86f9bfb21047259f3fec585bf414d6373b4a1187358a9d
Instruction ID: 224acd7928eb6ddbb15a21e84f5a96c19f7f03b678a598b7fa95cea8f22d83e8
Opcode Fuzzy Hash: 408ecf65105548c2ea86f9bfb21047259f3fec585bf414d6373b4a1187358a9d
Instruction Fuzzy Hash: BEE0867490921CEBC704DFA4D9409ADBFBCFB45311F14D0DAE8C457351C6319A42DB95

Function 05350948 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1883408004.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da88e0a8d776c31a78cda67b14204540dd460fa29de500cbfcad17fd19474911
Instruction ID: cf9400a2af8e47a536687cdbb23b1dbdd2c2cb26dbf33f623c50d6b864e8666c
Opcode Fuzzy Hash: da88e0a8d776c31a78cda67b14204540dd460fa29de500cbfcad17fd19474911
Instruction Fuzzy Hash: 25D02B71807218EBC714D668CD15BAA332DEB41315F0000A9948862360D6374D40C6E9

Function 059E5DD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d04f52d39a4b2d20e13f1ec05df4d3039ffcff18344a4e3ac5420c97b0a1c6
Instruction ID: 3acbb94180cb760b0b49a8f6bdce1422db56df2f44bc08331c230a1b3e919101
Opcode Fuzzy Hash: c3d04f52d39a4b2d20e13f1ec05df4d3039ffcff18344a4e3ac5420c97b0a1c6
Instruction Fuzzy Hash: 1BE04674905208DFCB81EFA8C588A9CBBF8BB08215F1040EAD848D7360E6309A80CB51

Function 059EFE38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79ead5ac1187d8c4523fc454565fffe66b716bde24b02398e712f14c688c857
Instruction ID: 7058f1c7e68d1a7993c0b5ad8b6b2be9f0cc1a161fc0e04dfbbea1dd1270669d
Opcode Fuzzy Hash: b79ead5ac1187d8c4523fc454565fffe66b716bde24b02398e712f14c688c857
Instruction Fuzzy Hash: C7E04F30905208DFCB40DFA8C54469CBBF4BB08304F1080AE8848D3341D731AE41CB41

Function 05E78040 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63db14818fbf1c1a9aa9343b0348f429c5fbc0691109bc276a43c23c6707b338
Instruction ID: 33036473229730ee9cc05d3035069a40956c65238b3044c2c973f9c21d4bbcf1
Opcode Fuzzy Hash: 63db14818fbf1c1a9aa9343b0348f429c5fbc0691109bc276a43c23c6707b338
Instruction Fuzzy Hash: 37E01A34D0920CEBCB04DF99D5445ACBBB4AB49304F1480EAD89857341D6365A02EB55

Function 05BFC9E1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37de8c541074aebfd89fc2302cedab7c13820db440a8bb666985ca106d7fcf1
Instruction ID: 45158e78f9ee06e1535abe86b23fd28a2c2520e5cbc57f2aeb0c3d4ae88a7b16
Opcode Fuzzy Hash: f37de8c541074aebfd89fc2302cedab7c13820db440a8bb666985ca106d7fcf1
Instruction Fuzzy Hash: 19E0C23A7400198B8704EF4DE44009DF7A2EBDC612310853AF946C3340CB319C6A9F90

Function 013DB128 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359b560dd0a7a7b1c129f22dfc1dba1e5e3b304c46ededa575cf666e85c19e1d
Instruction ID: 603b8be11d54540cc25250dab59ec22f75e1af85756fd0464dc5e0c2d2e011b0
Opcode Fuzzy Hash: 359b560dd0a7a7b1c129f22dfc1dba1e5e3b304c46ededa575cf666e85c19e1d
Instruction Fuzzy Hash: FEE0C271801208DBC700EFB8D90968FBBB8EB0A205F0045A6D548A3250FA354A04D7A6

Function 059E73C1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d658ffd809369446b6b392b5f5068bb19793459f143e36881d5ce8736ebdd499
Instruction ID: 64a81807b1785a8737f8acba6253644565cfc73221945a0f741b48fcecee8367
Opcode Fuzzy Hash: d658ffd809369446b6b392b5f5068bb19793459f143e36881d5ce8736ebdd499
Instruction Fuzzy Hash: 24F015B8D09318CFCB24CF68EA587ACB7B1FB49305F004499C00A66391D7745D85CF00

Function 059EE670 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc0829a3fd355a5d82a0561b408cf0bd8a00288abb7731947d43515b21cebbb
Instruction ID: 709f9534a598d963e64dfe327ffe1b2333d98d86971d960d1ea0d82de5a6d28c
Opcode Fuzzy Hash: ddc0829a3fd355a5d82a0561b408cf0bd8a00288abb7731947d43515b21cebbb
Instruction Fuzzy Hash: CDE08C70C0930CEFCB40EFA8D5482ACBBB8FB05301F1000A9C84993340E6300A50CB49

Function 05E7D048 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b91b15474c6d9b3435ba111fbaec382fcb9ca6a95930f3d68bad8da59d61cf
Instruction ID: 041ca97392c1414a263a0ed4296c5179ebe084db6cd4135eddb78b7ee333c2ce
Opcode Fuzzy Hash: 61b91b15474c6d9b3435ba111fbaec382fcb9ca6a95930f3d68bad8da59d61cf
Instruction Fuzzy Hash: 8FE0C23490920CDBCB04DFA4DA445ACBFB9FF45304F10A0DDC88867344CA325E02DB85

Function 05BFB2B7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a282d1f9bac6dc9d2ef2c600d0290ab4a5b7a93694512852ab841d4f5a8f1c78
Instruction ID: f8b909ba4309e07a163a9e86dbd58c63332d39412ea1a2ade05901caefc2724b
Opcode Fuzzy Hash: a282d1f9bac6dc9d2ef2c600d0290ab4a5b7a93694512852ab841d4f5a8f1c78
Instruction Fuzzy Hash: 67D02E727086220BCB01AA2DED4478B3BE2EBDC600F14857AB402C7308FE24DC028BC0

Function 059EACA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec37eb1bd6df2778547bf5d93e130454944f4a126080d04caa8efa3122876e50
Instruction ID: 09c5860f2313d3d6a0ab364154a0ebacdcc8fdfc9ef5ff0602d3cbd7ef70ffa7
Opcode Fuzzy Hash: ec37eb1bd6df2778547bf5d93e130454944f4a126080d04caa8efa3122876e50
Instruction Fuzzy Hash: 56F05A74D40229CFDB64CF25D988BD9BBB1AB59301F1081EA9889A3700EB741EC49F00

Function 059E5E20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9453585cd17915d81e4c4d1feb4eb28d8789bc510824289c7094564a359651d7
Instruction ID: bb56079be2f28823bca3534b1bea03e9df9133fbeaf6778a8d3662dac6a3b0e0
Opcode Fuzzy Hash: 9453585cd17915d81e4c4d1feb4eb28d8789bc510824289c7094564a359651d7
Instruction Fuzzy Hash: 82E01274D05208EFCB55EFA8D54929CBBF8BB04305F1044EAD889D3351E7345A54DB45

Function 05BF0490 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8bc6921ee139ba271d3391f5fbb1af66a8a0559f7c39bbdfc6408fd630be0b
Instruction ID: 1e94bf0ea96f5f8a6e060657d0ed988c3bf414215848374556b069887cd8416c
Opcode Fuzzy Hash: 4d8bc6921ee139ba271d3391f5fbb1af66a8a0559f7c39bbdfc6408fd630be0b
Instruction Fuzzy Hash: D8E0C230A0020CEFCB04EFB4D91066EB7BAEB85200F2049A8E8089B240DA315E009B80

Function 013DE6A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc64c8808dd3ae092369d4b3bdff3d477ba88c716caac41e944f3f91807cf76
Instruction ID: cbc46e2e1a1874d94f453a62031ded92370080474dde6885649717fdb094b820
Opcode Fuzzy Hash: 4fc64c8808dd3ae092369d4b3bdff3d477ba88c716caac41e944f3f91807cf76
Instruction Fuzzy Hash: DAD0A73050A208DFC705DB98E940AA8BBBCEB46328F1480EDD8085B391DA779D01CB85

Function 05BF0448 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425e57351809813ecefd5af54bf3e82e6e41ea5c80b3a44f4b28603d605de721
Instruction ID: c0950f535911969413315403affae730ca74f7b42b283868c7d50894ca129e7b
Opcode Fuzzy Hash: 425e57351809813ecefd5af54bf3e82e6e41ea5c80b3a44f4b28603d605de721
Instruction Fuzzy Hash: F0E05B70A1110DEFCB00EFE8E51069EBBF6EB86300F2045A9E80CD7340D9755F159B91

Function 05350958 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1883408004.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ca5d7ebdd71373ca9fa63ecd06734a815402cabf99fa4f5b2dc05563ca0e04
Instruction ID: f4cd4cba592bdfb8e08caa60bdd1bf38efcb7c8744516e6f4947b89dad4437d0
Opcode Fuzzy Hash: f2ca5d7ebdd71373ca9fa63ecd06734a815402cabf99fa4f5b2dc05563ca0e04
Instruction Fuzzy Hash: A2D0A77080B308EBC719DB64C504B6D736DE742315F001099C84812260C6774D40C7A9

Function 013D1BE0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7680b4ac5261a671e2e220ff37dbbb16f78fab27ddae7d84f44d8da0476db3da
Instruction ID: 2107ec3afd2102f1f888b5d543fbeb124b492886e3a8876695dced182c1a7c7e
Opcode Fuzzy Hash: 7680b4ac5261a671e2e220ff37dbbb16f78fab27ddae7d84f44d8da0476db3da
Instruction Fuzzy Hash: 6DD09E793005089F8748EB69E5A491A77EABB8CA1032085A9E949C7329DA31EC018B51

Function 05BFDB60 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca17a9915939f4bfd33b7f37fbddbd3d31f7bc3cf64dd27d489946abc4e14
Instruction ID: 7d66cf7941b205750b78d9acc2a6b831585a399e7cfb2d8360584b9aba575b49
Opcode Fuzzy Hash: 165ca17a9915939f4bfd33b7f37fbddbd3d31f7bc3cf64dd27d489946abc4e14
Instruction Fuzzy Hash: 06D0127E040104AFC7008B25D986FC07B64DB16335F15C051F509C7771C221E85A9954

Function 013D0888 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53519c079ece27f5b023890424a63eefc2fac5a836770e54e4ed901e1b4f80ee
Instruction ID: 527c33b248dfcbf32ce15ecc38b01c8c4e65b9996ba64d6ac8a300cc559d7ad0
Opcode Fuzzy Hash: 53519c079ece27f5b023890424a63eefc2fac5a836770e54e4ed901e1b4f80ee
Instruction Fuzzy Hash: 02C08C313100265B0A2436E8B23C0AC768DFB8D8A1300001AE9CAC3340CF1E1C0307DA

Function 013D1591 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705983db427df8b9e9bb030e4cbd9b8d2d406de9f18d8ef728719888cf574b9c
Instruction ID: 5b1d1461df4df188dc7f05b94b16e46be45509546ed538a379c1571fa9c2fbb2
Opcode Fuzzy Hash: 705983db427df8b9e9bb030e4cbd9b8d2d406de9f18d8ef728719888cf574b9c
Instruction Fuzzy Hash: 7BD0A736A080168BEB1A7F61F8243DC7215BF00B11F940865FDC157154CB349E099B82

Function 013D1E71 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad28c9ab3d1b25c18b0e7a8b07d168576aca3890774403d4aebcd8bcf2566447
Instruction ID: 0e7f0ef75a8ceb6050e7e6b1b1e8a30ee18a9e519b1989ec85b2dde1d01133b7
Opcode Fuzzy Hash: ad28c9ab3d1b25c18b0e7a8b07d168576aca3890774403d4aebcd8bcf2566447
Instruction Fuzzy Hash: 50D0C9316897818FC3439B74C4505947FB0AF57724B1640EBE445CB173E3B95C66CB21

Function 013D08B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f045b5ebda0d840ff39c20cc78ff63de92007a2c338a856fee02481d8064beb7
Instruction ID: 67cf11a4d3b7649caa59b8d53e13e044355743f8760f0621b96ce52ac6ba2879
Opcode Fuzzy Hash: f045b5ebda0d840ff39c20cc78ff63de92007a2c338a856fee02481d8064beb7
Instruction Fuzzy Hash: 50D0123204B3C9AFD3030FB0682A0A13FB8A90322875800D3E4C9CA023D22E2E06CB25

Function 05E7D4C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3f210862977179f1bc2064718e1a2635dc87dbf1802ba1c69d8421b2dcf2e4
Instruction ID: 867148881b8ab84e9d6a86fed1dc5ed2aa02d73d0abf53bdc3c88b453cafcbde
Opcode Fuzzy Hash: 6a3f210862977179f1bc2064718e1a2635dc87dbf1802ba1c69d8421b2dcf2e4
Instruction Fuzzy Hash: FAC08C3008F30882E2102254EF0C3B033AC6B06206F042841D68E045A2F6A82410C269

Function 013DAF58 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f73b62857cb9d1ad3d1736f5c0fdc32eb606ca354c45f4275844c28586da8a
Instruction ID: 0db16fc5a8fbbd8d9ce5c0d5937c0f075a58037198d67c665a88d477fc11f94c
Opcode Fuzzy Hash: d9f73b62857cb9d1ad3d1736f5c0fdc32eb606ca354c45f4275844c28586da8a
Instruction Fuzzy Hash: 22C0807048130447D21037A4FF0C354F75C6704216F440C51D14C515D09B7C8454C65E

Function 05E68B6E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e70d5bf423c246d45b1413ef41e3101b3bab5230d5a54aa9fe1501dcddf4b3
Instruction ID: 8727dfeab4154f1899653b0fa21d9d9785a4e716697f9827d8952b812d00242a
Opcode Fuzzy Hash: b6e70d5bf423c246d45b1413ef41e3101b3bab5230d5a54aa9fe1501dcddf4b3
Instruction Fuzzy Hash: 71D022BC6841088FD720EF48C468BEB73B7F78A740F40504A908E97786CE344D86CB21

Function 05BF18F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc7f3280092d09fe6e86b332504d2d129a69497e800143216e161a9dfcf8a1f
Instruction ID: 0c590f0e7330eb92f9e3309fd9d40d14250f0e99242404988794dac49105ed7c
Opcode Fuzzy Hash: 5cc7f3280092d09fe6e86b332504d2d129a69497e800143216e161a9dfcf8a1f
Instruction Fuzzy Hash: 86B092A16811052EEE208222CE077442214C392BA6F648000A30A986E9C580C04B4226

Function 059E712C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4b1168b7145236cd303890625a3c05117b1d34c9d89e3512d1e46918e98eaf
Instruction ID: f8de4485c8198a6371ac74ee09802305c2a1244cc92dd97fd20b990011c9c7ce
Opcode Fuzzy Hash: cb4b1168b7145236cd303890625a3c05117b1d34c9d89e3512d1e46918e98eaf
Instruction Fuzzy Hash: 89D067BC904228CFCB14DF28EA54B59B7B1FB55305F044095D40967355D7705D948F01

Function 059E7B7A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ba2c9a309bc321f19d9603f72e51ce3fd2e6821f7637c57ab8d398b708c592
Instruction ID: 9fac1b3ea14084d94f028c2a7bf02bb2871d51829a4259c44c3abdde3a6a0b3e
Opcode Fuzzy Hash: 91ba2c9a309bc321f19d9603f72e51ce3fd2e6821f7637c57ab8d398b708c592
Instruction Fuzzy Hash: 66C00276E5001A9A8B00DAD9E4508DCB774EB94321B004026D214A6104D63115268B50

Function 05BFB2A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa98070aa485f8e6d6e4c8ba1b55bd25099af2a00191cafc87cb3ac8e1fe1b5
Instruction ID: 84bfb9665c2a7ea2f8b0d99ce723417adefd69ff2d03932110408ab911125013
Opcode Fuzzy Hash: daa98070aa485f8e6d6e4c8ba1b55bd25099af2a00191cafc87cb3ac8e1fe1b5
Instruction Fuzzy Hash: E1B022C3C0008003CA82B2C8C83AB8200E8CBB0320FFCC8E2C20CCF320F02C822022A3

Function 05BF4D0A Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46469c73c9fe05df0f30ceaec3200c133db946048d4787c5de3936a27428fb35
Instruction ID: a414b4c4efaf0c934ee8f19b39226a8956b10edae2c955d3562b8f864bd91a96
Opcode Fuzzy Hash: 46469c73c9fe05df0f30ceaec3200c133db946048d4787c5de3936a27428fb35
Instruction Fuzzy Hash: 55C08C3898001EDBEF10CB40C5068EEB7B2EB8E200F300844D002B2910CB302E088BA0

Function 05BFDB70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 013D1E80 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40

Function 05BF47F1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ae62084b278da75b4bb12bd73f0cba7ebdcedf1ebbed258bb697a14e81c3e1
Instruction ID: 003b3b5e4436be57daef97f868f2816dcd26fcfa98ac1777052a97c94d27367e
Opcode Fuzzy Hash: 76ae62084b278da75b4bb12bd73f0cba7ebdcedf1ebbed258bb697a14e81c3e1
Instruction Fuzzy Hash: 50C08C318886D44BCB12CA20CE8BB4EBBA09FC1380F02902AD4808A024C7B00814DA00

Function 013D08D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a0b16f63845f0590feb351cae1b7dfa59826dd6739c476eff1a4281f330939
Instruction ID: 1bb09449542b06db584a3d09564d2f8e8c22fd4bab161a4696856dcd91253033
Opcode Fuzzy Hash: 51a0b16f63845f0590feb351cae1b7dfa59826dd6739c476eff1a4281f330939
Instruction Fuzzy Hash: 4BB09232D0E3814FCF2B9B349939048BF726A1330931544DAD8C1C90A7E57D0994CB42

Function 013D08C0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8913b70fc36e6de15500b360c9f85bb29aca68d08641bac39902fe51d0714d16
Instruction ID: 88ddc62cb1f2a63d13a8c5ce8a3f5e6cbb51aae674466ace81410b790cf3cffc
Opcode Fuzzy Hash: 8913b70fc36e6de15500b360c9f85bb29aca68d08641bac39902fe51d0714d16
Instruction Fuzzy Hash: BA90223000020CCF00022382382A080330CA0000003800003A00C800020A0A28000280

Non-executed Functions

Function 05BF4368 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

(bq, xrefs: 05BF470C
,bq, xrefs: 05BF445E

Memory Dump Source

Source File: 00000000.00000002.1885478725.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bf0000_new policy.jbxd

Similarity

API ID:
String ID: (bq$,bq
API String ID: 0-1616511919
Opcode ID: d78e96e7c258faf9b8f45278354eba3a1d2fec39f54e1c3d689f0c6f969f7fe6
Instruction ID: 33b530c4e6ba4549c322716b8897a92d2718fe19f7c3f1cbeffc78518ef9bac0
Opcode Fuzzy Hash: d78e96e7c258faf9b8f45278354eba3a1d2fec39f54e1c3d689f0c6f969f7fe6
Instruction Fuzzy Hash: A6D12A34A006058FDB14DF69C584AAEBBF2FF89310F25C4A9E905AB365DB31EC85CB50

Function 05D59C03 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05D59B40

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: e07f7540f32486d469b382bf8c58dd0557ba0a154efb15482dabcb9eda0601e8
Instruction ID: cb7afb9906229f7512396d9ab785436d3518dd05b7eceec9db4fdbef97c6defa
Opcode Fuzzy Hash: e07f7540f32486d469b382bf8c58dd0557ba0a154efb15482dabcb9eda0601e8
Instruction Fuzzy Hash: 23911674D04218CFEF14CFA9C9A4BADBBF2FB45315F10A16AD849AB254DB755984CF00

Function 05E60040 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

N, xrefs: 05E600FA

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 1c10a24c10e69f7747e3776c994152846f747b29b2c9920c5fd30e73222bcb45
Instruction ID: e1c8fe10c55337c47990ef9d1c9560557cad891d6d5b88fdf880f9cfad97f035
Opcode Fuzzy Hash: 1c10a24c10e69f7747e3776c994152846f747b29b2c9920c5fd30e73222bcb45
Instruction Fuzzy Hash: 61510B70D442298BEB29DF26C8887D9B7F2BF89344F10D0EAD44DA6244EB740B85CF01

Function 059E12A0 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

k, xrefs: 059E136F

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: 7111eb80076ccef519de9c1dd63f2348b2e3a9402d6e9f82ee78e7e23ba79bfb
Instruction ID: 0d019e95a33cefdc4d7e681ece9ec937e4361ef2e4c60e1245ad6fa857e555d7
Opcode Fuzzy Hash: 7111eb80076ccef519de9c1dd63f2348b2e3a9402d6e9f82ee78e7e23ba79bfb
Instruction Fuzzy Hash: 2F319971D056198BDB59DF2BC94839ABAF7AFC8300F14D1FA840CA6224DB340A81CF01

Function 05E60006 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

N, xrefs: 05E600FA

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: c415c30d16817d87aa8de265d130f4a3ff6ccb49ba4e6a7156c0d81ec628941a
Instruction ID: 85e68299b22d0e0ebcf451b9e3b088046d749dbbb4812a09b3c3b560beb1a55a
Opcode Fuzzy Hash: c415c30d16817d87aa8de265d130f4a3ff6ccb49ba4e6a7156c0d81ec628941a
Instruction Fuzzy Hash: EA313E71D057548FEB59CF6B8C45299BBF2AFC6340F09C0EAD448A6255DB740A8ACF11

Function 059E1290 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

k, xrefs: 059E136F

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: cdb84ced7a6cbd987b23fb60ced8197f5d0d952b5cffdcb7e7bfb2961ce7d02c
Instruction ID: 07b17d22e7ec61517db29633ab3663ed4df7781ed0daf34a64665961794b602a
Opcode Fuzzy Hash: cdb84ced7a6cbd987b23fb60ced8197f5d0d952b5cffdcb7e7bfb2961ce7d02c
Instruction Fuzzy Hash: 51317F71D056188BEB5DCF6BCD4469AFAF7AFC8300F14C1BA840CA6224DB350A81DF15

Function 059E6720 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0700f128fad4c25135e62c00a9887a96fe41b3f39ae4ecb0cb89fff193c04bb3
Instruction ID: f58bf5eab3ac987661c48f6ff2b8df12459c82def22027e8c29d8c9f56fbe8b4
Opcode Fuzzy Hash: 0700f128fad4c25135e62c00a9887a96fe41b3f39ae4ecb0cb89fff193c04bb3
Instruction Fuzzy Hash: F412C271E046198BDB14CFAAC98069EFBF2FF88304F28C569D458AB219D734A946CF54

Function 05E7D088 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885762406.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289ec4fb143bad0aeef258d1a349c899136383ccfdf69bba69c8bde341554dea
Instruction ID: 2a21827da94d92d9412d52a45b72a3d29b492c1ea4570cf50e3ae765709cb9c4
Opcode Fuzzy Hash: 289ec4fb143bad0aeef258d1a349c899136383ccfdf69bba69c8bde341554dea
Instruction Fuzzy Hash: 2581E670E0421CCFDB24DF69C944BEDBBB6BF8A304F54A4AAD449A7251E7705986CF40

Function 053505F8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1883408004.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7c2e2b8522d19cad8abeed40704dc4fb14464b8e234a228e4fd7fdf2ae9f44
Instruction ID: c9de3fd9430e51bef7aee35d52339c2c3a546722c23af32df735ab0337feb0f9
Opcode Fuzzy Hash: 9a7c2e2b8522d19cad8abeed40704dc4fb14464b8e234a228e4fd7fdf2ae9f44
Instruction Fuzzy Hash: 3C813574A04218CFDB18DFA9D568BEDBBF6FB89310F10612AD80AA7394DB765845CF40

Function 053505E8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1883408004.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c048aeff455919860f327bc97b1d3a312a51e5e65c842225b8bbfc65e61917f
Instruction ID: 75eee69129e1854685b2ecd65a50f8a6f9c2ff865e5e6fc803d99b54f8fabd31
Opcode Fuzzy Hash: 0c048aeff455919860f327bc97b1d3a312a51e5e65c842225b8bbfc65e61917f
Instruction Fuzzy Hash: BB8114B4A05218CFDB18DFA9D568BEDBBF2FB89310F10612AD80AA7394DB755845CF40

Function 059E6710 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950a78da3865002288f3db861fcd9aa24edbefc4f44457af055706bf400acac5
Instruction ID: 832fc2dc649443ea55dc79390584c4d252f077597aaf6586c0fe73a7f92c5d7b
Opcode Fuzzy Hash: 950a78da3865002288f3db861fcd9aa24edbefc4f44457af055706bf400acac5
Instruction Fuzzy Hash: 724158B1E016198BDB18CFABD94069EFBF3BFC8300F14C07AD958AB224DB3459468B54

Function 05C0D780 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885529486.0000000005C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c00000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cb83056621641c8e37ab5c27efcea5e695af17f066c0be814f413cfcfae899
Instruction ID: dadb065e982fff906ea2b4deff90c389efd5f0f2236dec4b30dc708acf859f7a
Opcode Fuzzy Hash: c6cb83056621641c8e37ab5c27efcea5e695af17f066c0be814f413cfcfae899
Instruction Fuzzy Hash: 9A41D0B4D043489FDB14DFE9D884A9DBBF1BB09300F20A529E81ABB290D7749985CF85

Function 059E8200 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7470ef7a4e271c35034475e970a11e7cd78d19403871f04d75912981f771174
Instruction ID: e9ab831198c8105485c8fd481fc64d180e1fda3b67034deb0bafda0e5d5b60fd
Opcode Fuzzy Hash: b7470ef7a4e271c35034475e970a11e7cd78d19403871f04d75912981f771174
Instruction Fuzzy Hash: D6412D71E05A188FEB59CF6B8D4469EFAF3AFC9301F14D1B9D84CAA255EB3409468F01

Function 013D7638 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1862833906.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad1e3bb9ecfba14796eba9bc48a8cfb7e5c9df82cc262312e59d20399496704
Instruction ID: be04069cb1d07fa4cf97aad897e4f757a7fc970c7f178750f1c322670bbabc4c
Opcode Fuzzy Hash: aad1e3bb9ecfba14796eba9bc48a8cfb7e5c9df82cc262312e59d20399496704
Instruction Fuzzy Hash: 623198B1D016188BEB58CF6BC95579EFBF7AFC9304F18C1AAC44CA6265DB7409868F01

Function 05D5D1A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c22a227a33e4431cb6441b69262a220e6d3654d304f432d56b870f76626a9c5
Instruction ID: 94f59b0ce971ad9a06d0d44e8d824095d2c780fd42e916381c27600e99b821fa
Opcode Fuzzy Hash: 2c22a227a33e4431cb6441b69262a220e6d3654d304f432d56b870f76626a9c5
Instruction Fuzzy Hash: 3021EFB5D142089FCB10DFA9D981AEEFBF5FB89320F50901AE819B7210C735A941CFA5

Function 059E0006 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1884661949.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdbf8fdf0a9c6fe093dc14fa42b5be87bc0cf0bf99f49e93fcc97f2ee600842
Instruction ID: 1fc5eb3d132c94f1c8c94a23a61d69a9b343d726b600c4670c38eb58af34e612
Opcode Fuzzy Hash: ebdbf8fdf0a9c6fe093dc14fa42b5be87bc0cf0bf99f49e93fcc97f2ee600842
Instruction Fuzzy Hash: 3121FF71D096948BDB1ACF668D442D9BFF7AFCA301F08C0FAC448AB265DA740945CB51

Function 05D5D1A8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64dee2db0bd3548807ab6449887ccb67a9713a479f53e732959c4a4987164eac
Instruction ID: 14188eb9cc9ed9b5634574d5f8dbe82f54275126d38c820aaa3e9b351536ef73
Opcode Fuzzy Hash: 64dee2db0bd3548807ab6449887ccb67a9713a479f53e732959c4a4987164eac
Instruction Fuzzy Hash: FD21FEB5D042089FCB10DFA9D980AEEFBF5FB89320F50901AE819B7210C735A941CFA5

Function 05D5AE00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd8e4d7b824cdb7113931fe740261b7ca85c68058c447a244ee952972096e86
Instruction ID: a4b5831a2d8374ab0b887cf746d0c4fd02ae57e72d7abd22f40983f62a03dca4
Opcode Fuzzy Hash: cbd8e4d7b824cdb7113931fe740261b7ca85c68058c447a244ee952972096e86
Instruction Fuzzy Hash: 23213771E046288BEF28CF9BC84479EFAF7AFC8300F14C17AD809AA254DB3409468F51

Function 05D5AE10 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1885668717.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d50000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f773da6da0fe8de3a861bbb35f60c8783ae51e865d301dcc15587b7ad4640c
Instruction ID: 5bace05d51512bc617139a3a78063a95cb274099534276ca14e69db750a8a532
Opcode Fuzzy Hash: f8f773da6da0fe8de3a861bbb35f60c8783ae51e865d301dcc15587b7ad4640c
Instruction Fuzzy Hash: EB21A371E046289BEB28CF9BD94479EFBF7AFC8311F14C07AD809A6254DB7409458F51

Analysis Process: airlineagancy.casacam.net 7076.exePID: 7764, Parent PID: 7496COMMON

Executed Functions

Function 00007FFD9BAC5FB9 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799b5418f6a6f290d7b6a70c46d6d5843c2ab15529b3ad63682fc0f458ebdc61
Instruction ID: 8990aab675065eaa53057273ddf8483d8182c3567b001e152a9e11707268f5ba
Opcode Fuzzy Hash: 799b5418f6a6f290d7b6a70c46d6d5843c2ab15529b3ad63682fc0f458ebdc61
Instruction Fuzzy Hash: AFD17330A09A4D8FEBA8EF28C8557F977D1FF68301F04426AE84DC7295CF74A9458B81

Function 00007FFD9BAC6D69 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a1c44dc0c39c7702254b7a6bf065d00e1b418834d5c8f4dd07be591216f24e
Instruction ID: 0b67ee1fc26ac9bed395ed34a74dbe6dbf0ddcf5c426c764cd23ee772f5c66f0
Opcode Fuzzy Hash: d9a1c44dc0c39c7702254b7a6bf065d00e1b418834d5c8f4dd07be591216f24e
Instruction Fuzzy Hash: 56D16230A19A4E8FEBA8EF28C8557F977D1FB68310F14822ED80DC7295CF7499448B81

Function 00007FFD9BAC239A Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

$M_, xrefs: 00007FFD9BAC23B4

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID: $M_
API String ID: 0-1791070036
Opcode ID: 981bfea2c2696e8dcea2d6acd53c0c6c47efab25188507f8f6ec4c28f7546745
Instruction ID: 5bf04033f376397ad218c4c9990890f87689bcb31b44efcb058f94c407fac82c
Opcode Fuzzy Hash: 981bfea2c2696e8dcea2d6acd53c0c6c47efab25188507f8f6ec4c28f7546745
Instruction Fuzzy Hash: 57B19762B1DA4D0BE7A8AB7C44696B977D2FF98314F44027DE05EC72D6DE786C028780

Function 00007FFD9BAC7EB1 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9BAC7F23

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 317fa32b18005ee276f11377848f482c8f89ffc9c192f1eca658a9f1e306b7d0
Instruction ID: 546a769bb0652989f7c3f1125e2bdc2ac721de57aba9947ebaf2669fdc7d2072
Opcode Fuzzy Hash: 317fa32b18005ee276f11377848f482c8f89ffc9c192f1eca658a9f1e306b7d0
Instruction Fuzzy Hash: A7212232D0D24A4FEF50AFE4C8656F9BBE0EF46300F0601BAD45DD31A2CA686D44C7A2

Function 00007FFD9BAC0758 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6ea02dfb73da9375979d610b09765ae7ed3c1aed0652c0e76c191ee47a09c6
Instruction ID: 8ca214928d3c3020e9884931510ac38dc6cc27e588bd325d13f2092e8d862041
Opcode Fuzzy Hash: fc6ea02dfb73da9375979d610b09765ae7ed3c1aed0652c0e76c191ee47a09c6
Instruction Fuzzy Hash: F4D11371B1991D8FD7A9EF2884A8AB477D1FF99314B4502B9E05EC72B6CE34A801CB41

Function 00007FFD9BAC7675 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94446a828cda6543c7868afea69890958b96cbcf10f0bffae0657f11f75f6300
Instruction ID: c9d8a220884e286a32bb2c860661d64d790461d2845d855689538bb14b3bc5d7
Opcode Fuzzy Hash: 94446a828cda6543c7868afea69890958b96cbcf10f0bffae0657f11f75f6300
Instruction Fuzzy Hash: 0C410753A0F6DA0EE762BBAC18790F83FA0DF52750B0A41F7D089CB1E3D8585D468352

Function 00007FFD9BAC8B4D Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42e906ceae5e22ef5a0bea9660cd30c775df77d95e09909e84a460c268349a3
Instruction ID: 4208488d74b9b2115ec670bbaea03ad497af103a5605622d7673767861e9dac1
Opcode Fuzzy Hash: e42e906ceae5e22ef5a0bea9660cd30c775df77d95e09909e84a460c268349a3
Instruction Fuzzy Hash: 64811731B0994C4FDBA9EB788865AFD77E1EF59320F05017AE00EC72E2CE68A941C741

Function 00007FFD9BAC8609 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9478598cc313b206512a5e419ba31ade26e354b912601f9897f5eeacd5f2723
Instruction ID: 39133c8b3e5269c08c527972b18da2a3dc7a5498e55b9a7ccb1e451836fa6d16
Opcode Fuzzy Hash: f9478598cc313b206512a5e419ba31ade26e354b912601f9897f5eeacd5f2723
Instruction Fuzzy Hash: 03812632F1E94E0FE7A8FB7888656B577D1FF45360F1502B9D018C71E6EE68A9068381

Function 00007FFD9BAC76B0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5252cd7d0f6646f86656dd73f71e6b7d85ec490aa6d8b7c222fc67ce1121c98a
Instruction ID: a7e842c278f4c221d452f885a2679b17207282ced55a18e4d3545bef67961475
Opcode Fuzzy Hash: 5252cd7d0f6646f86656dd73f71e6b7d85ec490aa6d8b7c222fc67ce1121c98a
Instruction Fuzzy Hash: C6212562A0FBD90FD753AB6C18755B83FA0EF96210B0A41F3E049C71A7E8586D058392

Function 00007FFD9BAC76C0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe1146fb9a25fdfa7ee38feefd9c4015399f760bdc5fdef2e365416abed6986
Instruction ID: f34ee5267a5368e82da449083ca81a589e1034474bb22d7e2b61ae19bd945fa7
Opcode Fuzzy Hash: 6fe1146fb9a25fdfa7ee38feefd9c4015399f760bdc5fdef2e365416abed6986
Instruction Fuzzy Hash: 9D21F662A0EA990FD753A76C58755B93FA0EF96210B0A01F3E049C71A7E9145D058392

Function 00007FFD9BAC6979 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825f403f9fe8eab054f4a9a3c8f92c9bf0cd242db4e0efe883c6ca0f24fb1a58
Instruction ID: 5b7158ef4120e96cdb629cbc247c4abe751be002ad6ae9029624f378087f10be
Opcode Fuzzy Hash: 825f403f9fe8eab054f4a9a3c8f92c9bf0cd242db4e0efe883c6ca0f24fb1a58
Instruction Fuzzy Hash: 8D914330A09A4D4FDBA8EF2CD4657F977E1FF68310F14822AE84DC7295CE7499458B81

Function 00007FFD9BAC27C5 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42187e3bd296e1bbc9f631c4e373d60fd67fd2a329b13c680f39825379f8a018
Instruction ID: 23b8df469cfcae333f209f2a60f7b156b7c47e188157ad0c259346592b355bd4
Opcode Fuzzy Hash: 42187e3bd296e1bbc9f631c4e373d60fd67fd2a329b13c680f39825379f8a018
Instruction Fuzzy Hash: 59711A207189459FE798FBAC88B5B7977D2EFA8319F5405B5E01DC32E7CD28A841C742

Function 00007FFD9BAC7F9D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3231f18804ee50653736748e9f68515d1068253539c5a455199d77d9fbdedbe7
Instruction ID: 03242754ff7dd246e4e81d861f32e53a667d05d10778171ac0ea6d8f99799944
Opcode Fuzzy Hash: 3231f18804ee50653736748e9f68515d1068253539c5a455199d77d9fbdedbe7
Instruction Fuzzy Hash: BC519431A18A0C8FDB58EF58D855BEDB7F1FF98311F10426AD04DD3296CA74A946CB81

Function 00007FFD9BAC0925 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6277d9cc356e5d1fe9be671d5eaada377a19dd66e642c0de3d36775eed47285
Instruction ID: 3190cacf011d673e14ddf2af906908da5b75edd7025809889562e083f2a81acc
Opcode Fuzzy Hash: b6277d9cc356e5d1fe9be671d5eaada377a19dd66e642c0de3d36775eed47285
Instruction Fuzzy Hash: 83512921B1A94E0FD7A8FB7854B9AFD7BE1FF9821878505BDE00EC71DACD6869018740

Function 00007FFD9BAC8BA0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f5de91868e5d755ec3837fabd5f86146524e5d6679a80cd9bcdd8970590174
Instruction ID: 174457b0926bfabd98ffb5aaad88badcb974daca62250486a721acb1b2cd09fd
Opcode Fuzzy Hash: 09f5de91868e5d755ec3837fabd5f86146524e5d6679a80cd9bcdd8970590174
Instruction Fuzzy Hash: 9A518431B1990C4FDBA8EB68C4A9BBDB7E1FF58324F150179E00ED72A6CE64AC418741

Function 00007FFD9BAC88C1 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1670737e50a4124c71fdd27d7f27db6a3331b43b051184489b709583eb2fe91
Instruction ID: e51127893142215bcd36807813a27ec0990cfe337320b4987a7d61838dea9ba0
Opcode Fuzzy Hash: d1670737e50a4124c71fdd27d7f27db6a3331b43b051184489b709583eb2fe91
Instruction Fuzzy Hash: 0B51A230F1990D9FEB94FB68D865AB877E1FF88310F4541B5E01DD32A6DE2869418B41

Function 00007FFD9BAC1908 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e4bad81b1eda7ae9139b61f3dc08734d268509b332a0f3d50155dd021200ca
Instruction ID: 8ad53453e4a73fbeb027e5310d5dc11c6964c8b7e2ef82e6a4885a3af15dd5fe
Opcode Fuzzy Hash: d3e4bad81b1eda7ae9139b61f3dc08734d268509b332a0f3d50155dd021200ca
Instruction Fuzzy Hash: AD61F830F0E68A4FEB5AE77484616B97BA1EF26314F1902F9D05DC71E3CE686842C751

Function 00007FFD9BAC0550 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcea3d581ae5570dcb211425bc67b9bd578b4349a80af4a3c678e91f03210de
Instruction ID: bc1f97359cd9c87990a89f393a08e74a1aa9873ce6360d109bba9345f0b08c30
Opcode Fuzzy Hash: 8dcea3d581ae5570dcb211425bc67b9bd578b4349a80af4a3c678e91f03210de
Instruction Fuzzy Hash: 7C513971A0D64D8FE768EF68C855AB87BE0EF65314F0441BED00EC71A2DB74A806CB91

Function 00007FFD9BAC383C Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf68906a9e105631277d8ceb5299ed78882cbd31703946b35eab24714afc6d6
Instruction ID: 55d1c59d99975ea3b93995051a653ff529b8fb82dd75a4cf40cce58c699054db
Opcode Fuzzy Hash: bcf68906a9e105631277d8ceb5299ed78882cbd31703946b35eab24714afc6d6
Instruction Fuzzy Hash: 13517331D08A1C8FDB68DF58D855BE9BBF1FB59310F0082AAD04DD3252DE74A9858F81

Function 00007FFD9BAC05A0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6f94e1152c52f9ee1560cbe5b3a6630403796557f075d09837b961323697ff
Instruction ID: cbddc93b11f061bed0a67e7658061af118aa133e136b665971569093888274ad
Opcode Fuzzy Hash: 6c6f94e1152c52f9ee1560cbe5b3a6630403796557f075d09837b961323697ff
Instruction Fuzzy Hash: 1B413C21F1D9490FE7A4FB3C886797977C1EF95324B0905B9E44EC32EADD58AC428741

Function 00007FFD9BAC1660 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e009eecb69af105513bf020dae9eade1c4534db4c06a475a88b031b054381492
Instruction ID: 29be7a6ce71a64aab814d0e450d55534062d6714dc6cd16ddd14244427d2bc5d
Opcode Fuzzy Hash: e009eecb69af105513bf020dae9eade1c4534db4c06a475a88b031b054381492
Instruction Fuzzy Hash: 06519174A09A5D8FEBA9EF68D4A5BB977E0FF25311F14016ED00AC36A1CB75A841CF40

Function 00007FFD9BAC0B5E Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2efe4b0d0b9b9f0655791db7ce5adc39b259c0a428e73f8f361bf9caca673b
Instruction ID: 131058f8273f3167520aee0c5556566eb10b96b7235fa3affd0506b7e0445e50
Opcode Fuzzy Hash: 0b2efe4b0d0b9b9f0655791db7ce5adc39b259c0a428e73f8f361bf9caca673b
Instruction Fuzzy Hash: 6E412621B1DA890FE799AB6C48796757BD2DF8A225F0901FEE04EC72E7CD585C428341

Function 00007FFD9BAC04C8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c8999aae28598d25aa4ee9b21c87d4a4971a0bfa8c18d211590c06f779dbc
Instruction ID: eb5abbeddffb84912f8a6a1e3b0ee2d69603d94752da32589042448be9267f96
Opcode Fuzzy Hash: 598c8999aae28598d25aa4ee9b21c87d4a4971a0bfa8c18d211590c06f779dbc
Instruction Fuzzy Hash: 0731D521B19A4D0FE798FB2C986AA79B2C2EF99315F0506BEF00EC72D7DD645C428341

Function 00007FFD9BAC0E11 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1543c716106178e74caa6136ff8c71d1e1ea682fadbc5fd60a5d2abe582dfb0d
Instruction ID: 3fe667c33f8c985ecf27f02834de41baf9b89ea626d97905eaf7d010d155bbb9
Opcode Fuzzy Hash: 1543c716106178e74caa6136ff8c71d1e1ea682fadbc5fd60a5d2abe582dfb0d
Instruction Fuzzy Hash: A831B611B1990D0FEB94BBAC5C297B877D2EF98755F0503BAF01DC32E6DE58A9018381

Function 00007FFD9BAC0CC1 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c6a0195c8f40ab8164b7e1a8394c0bc9cb155d437239a3a70fba97876be654
Instruction ID: 86d840d06f327181cfa792cb74c6e6463adfbd4a5fcf094336653cf30b464822
Opcode Fuzzy Hash: 73c6a0195c8f40ab8164b7e1a8394c0bc9cb155d437239a3a70fba97876be654
Instruction Fuzzy Hash: BC41E630B1964D4FEB94EB7888B56F97BA1FF98314F5406B9D009C72D6CD386801C740

Function 00007FFD9BAC0E30 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3113de8fbc705032159a201b38969ead5cdade74d79da00b266ba561be65b973
Instruction ID: 0b6c92535fb4dd45a775c176c5bb49e6d5c3c5a10efeae38c89359899e1f5eff
Opcode Fuzzy Hash: 3113de8fbc705032159a201b38969ead5cdade74d79da00b266ba561be65b973
Instruction Fuzzy Hash: C631C711B19D0D0BEB94BBAC582A7BC72C2EF9C766F0403BAF01DC32D6DD58A8018381

Function 00007FFD9BAC9335 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65373063f8abe04ca83565ee1635d2fc59f4f24c2d0f50aaf7f6e6b989f5408b
Instruction ID: 854fe21100669a3f1b9f1445f2927dc6a1da6fccc2d93b6dc1caa66dc9f0735e
Opcode Fuzzy Hash: 65373063f8abe04ca83565ee1635d2fc59f4f24c2d0f50aaf7f6e6b989f5408b
Instruction Fuzzy Hash: BC31A13190D7488FDB29DFA9D889AE9BBF0FF56320F0482AFD089C7552D764A405CB51

Function 00007FFD9BAC81C9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70880cde94cdf66160e9376d91a92bf71eae0aae314a9d8d713e269c4072eff7
Instruction ID: d7fe2a379c35815a0be323cea00ba2d07cfa22a87fbd130d22128715e8418edf
Opcode Fuzzy Hash: 70880cde94cdf66160e9376d91a92bf71eae0aae314a9d8d713e269c4072eff7
Instruction Fuzzy Hash: EF31F630A0DA8A9FEB96FF7CC4A55687BE1FF16314B0501A6D058C72A3DB38AD41CB41

Function 00007FFD9BAC84C5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394ec34c5e4e35e7aed578ead91d7a74bab48523db153e25b6b864b70b797085
Instruction ID: 8bd3df5319c77117a5e3779aeda489322906671cae6053f0d60ad3e112b187d1
Opcode Fuzzy Hash: 394ec34c5e4e35e7aed578ead91d7a74bab48523db153e25b6b864b70b797085
Instruction Fuzzy Hash: FB314632A5E68E0FE355A7A48C721F97BB1FF45360B4541BAE059CB0E3ED5C2A028341

Function 00007FFD9BAC8362 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7178851c90e81b0968fa3a34dddab1883c68e3cdbfac4cf057146494f26eb471
Instruction ID: 9f85ec82af96320ec7cec83d55868d8ab29ce0c6f1c8efde2c14ebe3ce7df2a2
Opcode Fuzzy Hash: 7178851c90e81b0968fa3a34dddab1883c68e3cdbfac4cf057146494f26eb471
Instruction Fuzzy Hash: A3318D71B0990E5FEF98FB6C84656BD77E2FF98310B400479D41DD32A6DE38A9418740

Function 00007FFD9BAC9259 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a848f69284052013bdce9a7951ced71c7a614030a69b8f4818ee87be7b251041
Instruction ID: 65388a88af3feff70bf2d4ff853d123f09ab6ddf5094e21179560265abaa2a6f
Opcode Fuzzy Hash: a848f69284052013bdce9a7951ced71c7a614030a69b8f4818ee87be7b251041
Instruction Fuzzy Hash: 3D210830B4D58E0FD756AFA88825AF53BD1EF9A210F0541B6E08AC71A3CD5C99068791

Function 00007FFD9BAC8662 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad16480294fa73b10a8e7dda8107b5cddd72ab74bc5daef9b71fd5425b8bd22b
Instruction ID: f80f46e9a7dbfa0d74c994c3d6cbe2f7cfe11fab6c5ae6d46b17266f60da705a
Opcode Fuzzy Hash: ad16480294fa73b10a8e7dda8107b5cddd72ab74bc5daef9b71fd5425b8bd22b
Instruction Fuzzy Hash: 51110222F09D0A0BE75CFBA888696B4B391FF54335F104779D01EC31E6DE78B8068280

Function 00007FFD9BAC9141 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95470c6babe9f9142d356301a353dbe74460ace23108573a0f9285f786e9d6a
Instruction ID: f62ced211d15d5ce6791e751aa5949eb066fe4a83c28beed1f999483e195615f
Opcode Fuzzy Hash: b95470c6babe9f9142d356301a353dbe74460ace23108573a0f9285f786e9d6a
Instruction Fuzzy Hash: 1F210510B2D9494BEB85BBAC58767B877D1EF59318F4502B5F01DC72D3CD6869008792

Function 00007FFD9BAC2A6A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4cdb0cc6ba2a3312b115550ab89df1fbc8824e8f069478c5c82283d0aaae10
Instruction ID: 67ed36b9189acaae3684267daf02740902e6c3566105196a75f32df1d7e53479
Opcode Fuzzy Hash: 5e4cdb0cc6ba2a3312b115550ab89df1fbc8824e8f069478c5c82283d0aaae10
Instruction Fuzzy Hash: 5C11511071890947EA98B3EC68627B9A2C7DFEC71AFA40275F00DC72FBCC58BD018652

Function 00007FFD9BAC12C1 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17032412cf22a371fb0e094d47a14170fec868085783d602ec02f48ae699cd7
Instruction ID: 9cd2f5357098712fe3e03a05589d92db5905e836001f53412e3d5d43524210fa
Opcode Fuzzy Hash: b17032412cf22a371fb0e094d47a14170fec868085783d602ec02f48ae699cd7
Instruction Fuzzy Hash: 43110A15F0F68A0BE77A77B848725B83BA1AF92354F4A01F5E058CF1E3DD5C69064351

Function 00007FFD9BAC137D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee363ea1f4d901da8f4c37c70f999ff7aeb7376b78f1f6ae7aea528354f26df7
Instruction ID: ab8fdb37db4e4bf1acc1beead0112777a0a31bbccdc6fa0c1120b6c52bf733d9
Opcode Fuzzy Hash: ee363ea1f4d901da8f4c37c70f999ff7aeb7376b78f1f6ae7aea528354f26df7
Instruction Fuzzy Hash: 3B1108B1A0968C4FE798DF6488A96B93FE0EF69204F4841BFD48ED76A1DA7461018700

Function 00007FFD9BAC7DF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e16f236ff2fe9d889a356cc5896927b8be66f73f8f92af298588be5a417d85
Instruction ID: 750fdd4d02780d969aeb1d5ff7cab43ed8131e4ac74b977625fe21c63e44e421
Opcode Fuzzy Hash: e3e16f236ff2fe9d889a356cc5896927b8be66f73f8f92af298588be5a417d85
Instruction Fuzzy Hash: 72010472E09A8D4FDB41EFA888695FD7BF0FF19210F4501B7D018C7196EB2999418782

Function 00007FFD9BAC141D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dae7f0a20853d10b8975a28b03038e4c615a753901f3a4fac31fe8b98e81fdb
Instruction ID: d57492b5de1837501bf534478f1864a918651403d7a152fc42a54f0c992f882e
Opcode Fuzzy Hash: 7dae7f0a20853d10b8975a28b03038e4c615a753901f3a4fac31fe8b98e81fdb
Instruction Fuzzy Hash: BC01F910F2F59A4FFB697BB8047567826919F65308F9605F4E00DD71D7DD5C58018341

Function 00007FFD9BAC1328 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398256ec6a004e3bdea2ca41aba1c2bc931ac370be053fde549f4ebaf7aa8be1
Instruction ID: a6ccb14ff37ef0c06b3122f6dbc068b382546c67528aa5040d3ced31138e60d3
Opcode Fuzzy Hash: 398256ec6a004e3bdea2ca41aba1c2bc931ac370be053fde549f4ebaf7aa8be1
Instruction Fuzzy Hash: 76F0F430F0D40A8BE3B5EBA8856067873A1AFA1324F150674D01DC73E2DE78B9418780

Function 00007FFD9BAC1141 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982f510d3889d0179028e5794f3ccaafc8ee00174df5fe05695656eb30f1905c
Instruction ID: 0967464579a5e3d2ca2c7bc72e3c69cc507aa510d980094cdb0c31cecb65e7b4
Opcode Fuzzy Hash: 982f510d3889d0179028e5794f3ccaafc8ee00174df5fe05695656eb30f1905c
Instruction Fuzzy Hash: 70E02B3286938C4FD7626FB058221EA7B34FF51204F4605CBF41CC70A2E72097188383

Function 00007FFD9BAC1284 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be749fb374e119204ea1432ed6411a1594da0bdab888e07c5ebe139f8a5d1d13
Instruction ID: 76e15de2d47e7ef7a1114f71fbca34f944ef168f52518c327fab5770bbebe2f1
Opcode Fuzzy Hash: be749fb374e119204ea1432ed6411a1594da0bdab888e07c5ebe139f8a5d1d13
Instruction Fuzzy Hash: 2DD0C200C4E2CA0BE71B23B80C625A47F609A131A0F4A02D1D444C70E3E88D159A4272

Function 00007FFD9BAC0795 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4108803923.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9bac0000_airlineagancy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction ID: 9d775127c18b15faa6c8292c2e3c5b9aede7892cb9d8ad64ec262222c5b48043
Opcode Fuzzy Hash: b9e65dd4ba68bbb97a4f2f36a3ef5b2bb626c93ac90d9831ab7b834ad64c2e06
Instruction Fuzzy Hash: 20B09200F7B88A48D42933BA096B0B8BB60AB8A124FE614B1D48841092988E16A64282

Analysis Process: new policy.scr.exePID: 7784, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.7%
Total number of Nodes:	156
Total number of Limit Nodes:	15

Executed Functions

Function 05883471 Relevance: 1.9, APIs: 1, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa56c2f87ffe7ecb5c3bd29e19e7fe28bed5001a21952ad6fad997d875749c5
Instruction ID: e7e460416e5e01ac03647a482b708285b0ac5a3c8488b3593002b928acc04196
Opcode Fuzzy Hash: 2aa56c2f87ffe7ecb5c3bd29e19e7fe28bed5001a21952ad6fad997d875749c5
Instruction Fuzzy Hash: 88E12970A002098FDB14EFA9C848BADBBF2FF48714F158959E816EB265DB74ED45CB40

Function 07758C68 Relevance: 1.8, APIs: 1, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2867098655.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7750000_new policy.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: b7961a83725bf87eca1d427baa48b7ad5690961eb9bea04560af57e4a7c121fb
Instruction ID: e623612f0e4d28f2bcf988252d01ae38e39658bff7fefe73a5b148264cf413c6
Opcode Fuzzy Hash: b7961a83725bf87eca1d427baa48b7ad5690961eb9bea04560af57e4a7c121fb
Instruction Fuzzy Hash: 6DE107B1D0021ACFDB10DF68D880A99FBB5FF48310F14C6AAD919AB345D770AA85CF91

Function 0150EF08 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0150EF86
GetCurrentThread.KERNEL32 ref: 0150EFC3
GetCurrentProcess.KERNEL32 ref: 0150F000
GetCurrentThreadId.KERNEL32 ref: 0150F059

Memory Dump Source

Source File: 00000003.00000002.2831074524.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1500000_new policy.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7939f4d1d0e4c5c7fa244957e0900b5ffd8011571e9ecba92d3d6e942ef889d1
Instruction ID: bd8d67e7571fba3c1e29331f61cc9dd62563137719c3290463cd2dd4d2941f06
Opcode Fuzzy Hash: 7939f4d1d0e4c5c7fa244957e0900b5ffd8011571e9ecba92d3d6e942ef889d1
Instruction Fuzzy Hash: BF5165B0D013098FEB14DFAAD948B9EBBF1FF88304F248859E419A7290D7745984CF65

Function 0150F150 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0150F1D7

Memory Dump Source

Source File: 00000003.00000002.2831074524.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1500000_new policy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 40a12e46b8a3b73694d2bfe6891325ab1b243d3f7401aedeb676b4821f65af25
Instruction ID: e2abc8005cee706fa34c4e27fc969f2a991c5601ebea21ef4695a1fb54b1518d
Opcode Fuzzy Hash: 40a12e46b8a3b73694d2bfe6891325ab1b243d3f7401aedeb676b4821f65af25
Instruction Fuzzy Hash: DE21E2B5D002099FDB10CFAAD884ADEBFF9FB48310F14841AE918A7350C374A944CFA1

Function 07756A74 Relevance: 1.6, APIs: 1, Instructions: 61
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimes.KERNEL32(00000000,00000000,?), ref: 0775905C

Memory Dump Source

Source File: 00000003.00000002.2867098655.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7750000_new policy.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 7c525826511b9d2b9a97fbbb46c19a774509b68a2397384f01dfa23cf23269a2
Instruction ID: 40166bfd03553b53f94b07a7088a341fd9a9f22ca8db8bcbcb45fd1eb9c29484
Opcode Fuzzy Hash: 7c525826511b9d2b9a97fbbb46c19a774509b68a2397384f01dfa23cf23269a2
Instruction Fuzzy Hash: 6B21F3B1C012099FCB50DFA9D984BDEFBF8EF48310F24806AE908AB241D3749944CFA5

Function 0150BC08 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0150CB39,00000800,00000000,00000000), ref: 0150CD4A

Memory Dump Source

Source File: 00000003.00000002.2831074524.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1500000_new policy.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b18b28ea4fdcaa098cdb26d78b727c4f7b08b2a5c6e8d4fe8908579351f12fab
Instruction ID: 38525f0248e7b8a1b17ec50c88bf45c7b66cd71eaa1480428f78e805c251ea4b
Opcode Fuzzy Hash: b18b28ea4fdcaa098cdb26d78b727c4f7b08b2a5c6e8d4fe8908579351f12fab
Instruction Fuzzy Hash: 471142B6C003498FDB10CF9AD848A9EFBF4FB89310F10846AE919AB240C374A545CFA5

Function 05882000 Relevance: 1.6, APIs: 1, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05882065

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9bab220d6d56770c84514c9233837ff0633790821243d168ec66b5937c64c6a5
Instruction ID: 32b31d0878bb2a8ffbf00229980403c70bb7138a53c4f19729127b71a3bf59a1
Opcode Fuzzy Hash: 9bab220d6d56770c84514c9233837ff0633790821243d168ec66b5937c64c6a5
Instruction Fuzzy Hash: 8F1128B58003499FDB10DF9AD845BEEBFF8EB48324F108459E955A3251C375A944CFA1

Function 05882008 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05882065

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 51fcc9cfacbfb8c91aa153ce5976cb33bd9046c9af8ddf4507e546bbcf020a06
Instruction ID: 33230450aab085ac1fe10cb6b688c36d7ca926061a34556adedeeaf69ea56a2a
Opcode Fuzzy Hash: 51fcc9cfacbfb8c91aa153ce5976cb33bd9046c9af8ddf4507e546bbcf020a06
Instruction Fuzzy Hash: 341106B58003499FDB10DF9AC845BEEFBF8EB48320F108459E955A3251D379A944CFA5

Function 0150CA58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0150CABE

Memory Dump Source

Source File: 00000003.00000002.2831074524.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1500000_new policy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d757d29312fda0dfa3a5a10c26a0e8f6a6df9c65d4aaa0946535c4342906783a
Instruction ID: 6d3c2281826de64cd90dda4eb6c1c25c5edd19a2994aa46777b77a606ea18f94
Opcode Fuzzy Hash: d757d29312fda0dfa3a5a10c26a0e8f6a6df9c65d4aaa0946535c4342906783a
Instruction Fuzzy Hash: A51110B6C002498FDB10DF9AD844ADEFBF4EB89314F14856AD419A7240C375A545CFA1

Function 05881618 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05883235

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 30346a7be493f99bd22eae36a554a336ef5f7829daac45854c62485bab4347c9
Instruction ID: b0a79c97e2504ad650dd3cc9a267b8682aadc65dde1676d94e5733dbd9b8f8a2
Opcode Fuzzy Hash: 30346a7be493f99bd22eae36a554a336ef5f7829daac45854c62485bab4347c9
Instruction Fuzzy Hash: 181145B4C003498FCB10EF9AD848BDEBFF4EB48714F108859E919A3200C375A944CFA5

Function 05880B68 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05880BCD

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f223a2b141ca666a2ce9932d1c1e4a5e39f9a9ac07de37fa22bf3cf57c1471b1
Instruction ID: 8bb0ce777799f1c2143f8516aa3b7cfc4bbb81f5e783f6119fadf0c73ac25b34
Opcode Fuzzy Hash: f223a2b141ca666a2ce9932d1c1e4a5e39f9a9ac07de37fa22bf3cf57c1471b1
Instruction Fuzzy Hash: 3B1103B5800349DFDB10DF9AD949BDEBFF8EB48314F14845AE918A7200C375A948CFA1

Function 058831D8 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05883235

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 64f5fe038a6c581d37995ae19d3af39b78e9ae376412444cae2a2d74f4db99b8
Instruction ID: 12ce3d5469887397e66e78ea0c613918a6845626c39479ae0a22d0d152c2456e
Opcode Fuzzy Hash: 64f5fe038a6c581d37995ae19d3af39b78e9ae376412444cae2a2d74f4db99b8
Instruction Fuzzy Hash: 021103B1C043498FDB10EF9AD849B9EBFF8EB48314F108459D959A7210C778A945CFA5

Function 05884159 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 058841BD

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: cb0e99dccc51ff3d7b8beb5788602e5f22afd860203584f6de79a52391eef136
Instruction ID: 8096e40ba6a2e0f78b627d88785072ad66c43d62442bf12a23a362496f57c93c
Opcode Fuzzy Hash: cb0e99dccc51ff3d7b8beb5788602e5f22afd860203584f6de79a52391eef136
Instruction Fuzzy Hash: 7511F2B5C043498FDB10EF9AE948BDEFBF8EB48314F10846AD819A3210D374A545CFA5

Function 05880B70 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05880BCD

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c485369fd15b50829589ab9e749246fd146077ba7b24ed1f61b713e82904943
Instruction ID: 4d78183bc26363276b4647976276620b0e3525e13977643c02d32f299dc44dce
Opcode Fuzzy Hash: 1c485369fd15b50829589ab9e749246fd146077ba7b24ed1f61b713e82904943
Instruction Fuzzy Hash: 9711D3B5800349DFDB10DF9AD849BDEBBF8EB48314F148459D919A7200C375A944CFA1

Function 05884160 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 058841BD

Memory Dump Source

Source File: 00000003.00000002.2857886207.0000000005880000.00000040.00000800.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5880000_new policy.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 1c1b0466365387c331070f48f6d1f60ea292654cf3d573c0f2ed1cf9eea6ae7f
Instruction ID: aeab5836a84331520ef8027f9bf06ccc3b4194f6013a319f63509245e57405b4
Opcode Fuzzy Hash: 1c1b0466365387c331070f48f6d1f60ea292654cf3d573c0f2ed1cf9eea6ae7f
Instruction Fuzzy Hash: 3E1100B5C002498FDB10EF9AD848BDEFBF8EB48314F10842AD819A3210C378A544CFA5

Function 0145D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2830620912.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_145d000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37b195f884deaf70c2368a1842430eb9c000dc3a180a0c30674126094aff780
Instruction ID: 941a96996898419a97f21deeb7105fa687917e95825721ddadbf14ed7ead67cf
Opcode Fuzzy Hash: a37b195f884deaf70c2368a1842430eb9c000dc3a180a0c30674126094aff780
Instruction Fuzzy Hash: A321F1B1904240DFDB45DF98D9C0B67BF65FF84314F24C56AED090A267C336E456CAA1

Function 0146D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2830701799.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_146d000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520abfc42331d6755b3c1deda7cfab72d95bcdcc8b1fbdd722a04a6b9bb85799
Instruction ID: 6f4cce4bd6ae4ed74df19695b86de6030adaf7b9b28a6f5bbcd8953c2e74b97c
Opcode Fuzzy Hash: 520abfc42331d6755b3c1deda7cfab72d95bcdcc8b1fbdd722a04a6b9bb85799
Instruction Fuzzy Hash: B52125B1A04240DFDB15DF58D9C0B26BBA9EB8431CF24C56ED98A0B366C337D407CA62

Function 0146D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2830701799.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_146d000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fef5b8c3dc3150e7dd7c07319742249d1d7da6ab6db2fc67a336fbb373f852e
Instruction ID: d73d77668c290b05d1dc90cf73e9a2f9c7b3c7c227e3a5c69c18e28a50ce307a
Opcode Fuzzy Hash: 4fef5b8c3dc3150e7dd7c07319742249d1d7da6ab6db2fc67a336fbb373f852e
Instruction Fuzzy Hash: 192180755093808FDB03CF24D594716BF71EB46218F28C5DBD8898B6A7C33A980ACB62

Function 0145D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2830620912.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_145d000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 2c89e0d826f68fa128f4c3c6bfcbaacd2391da3ddc03a0e34277a93da17e555c
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: E011AC72804280CFCB02CF54D9C4B56BF61FB84214F24C5AAD8490A667C336E45ACBA1

Non-executed Functions

Function 0145D01C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2830620912.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_145d000_new policy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1e9185094c5ef16796e3ad083ad76acf2c070f471405f1e3bc79715ba4438c
Instruction ID: b690637d7a1c7d73b034ca9d5fdcdc3a9ea823bf6c531f6c2a515adf444a8a70
Opcode Fuzzy Hash: aa1e9185094c5ef16796e3ad083ad76acf2c070f471405f1e3bc79715ba4438c
Instruction Fuzzy Hash: 272104F09042409FDB54EF58D580B26BBA5EF84B58F20C56EDD0A4B353C33AD447C661

Analysis Process: Networks!.exePID: 8108, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	97.7%
Signature Coverage:	0%
Total number of Nodes:	309
Total number of Limit Nodes:	6

Executed Functions

Function 05C32D50 Relevance: 16.1, Strings: 12, Instructions: 1139COMMON

Download Yara Rule

Strings

$^q, xrefs: 05C3368A
$^q, xrefs: 05C33267
$^q, xrefs: 05C33631
$^q, xrefs: 05C33641
$^q, xrefs: 05C32FF3
$^q, xrefs: 05C33257
$^q, xrefs: 05C331B7
$^q, xrefs: 05C3369A
4, xrefs: 05C33735
,bq, xrefs: 05C3381A
$^q, xrefs: 05C32FE3
$^q, xrefs: 05C331A7

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312445597
Opcode ID: 56ced6d7fe3bf022dfb7cd3f5ce8c496500fb1d4d003057aa0b0e80660268846
Instruction ID: 95f43814d2c57cbbbe15179053df0e085c0bed27186d2d28c893917d4e2b7dde
Opcode Fuzzy Hash: 56ced6d7fe3bf022dfb7cd3f5ce8c496500fb1d4d003057aa0b0e80660268846
Instruction Fuzzy Hash: 5AB21834A00258CFDB14DFA8C895BADB7B6BF88700F158999E505AB3A5CB70ED85CF50

Function 05C33087 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$^q, xrefs: 05C3368A
$^q, xrefs: 05C33631
$^q, xrefs: 05C33257
4, xrefs: 05C33735
,bq, xrefs: 05C3381A
$^q, xrefs: 05C331A7

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q
API String ID: 0-2546334966
Opcode ID: 68db8b920d2a6dab488215d03386c8bebb5aa4c08a641aa4d06a2f5471877e21
Instruction ID: db0ebe33f742160088e534bf0cd64e7f8ce52d57bbf6ce6e3139f04f0b7f90e2
Opcode Fuzzy Hash: 68db8b920d2a6dab488215d03386c8bebb5aa4c08a641aa4d06a2f5471877e21
Instruction Fuzzy Hash: F6223B34A00258CFDB24DFA4C985BADB7B2BF48700F1489A9E509AB3A5DB70DD81CF50

Function 02B2B178 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbaq, xrefs: 02B2B2A5
pbq, xrefs: 02B2BD32
Te^q, xrefs: 02B2B89B
TJcq, xrefs: 02B2B31A

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: 0f3acf19551241b97ee5128b9e792beb28b44200e92d73f406775e3ba00e670f
Instruction ID: da9ce5f5c9598c81bfa5884a899b67eafa079c65644060e0c764e21fede23a5c
Opcode Fuzzy Hash: 0f3acf19551241b97ee5128b9e792beb28b44200e92d73f406775e3ba00e670f
Instruction Fuzzy Hash: C1A29475A002288FDB64DF69C984B99BBB2FF89304F1581D9E50DAB325DB319E85CF40

Function 05C34368 Relevance: 2.9, Strings: 2, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 05C3445E
(bq, xrefs: 05C3470C

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq$,bq
API String ID: 0-1616511919
Opcode ID: 66d4b2c77c314d57d0bcba3f24d9ea95426a0f2187b88d1573cf16d0570bbfde
Instruction ID: 0d0186135696f82a8991c961d6b8d9a665f2a9e18c736cf0672c08587a6c0ada
Opcode Fuzzy Hash: 66d4b2c77c314d57d0bcba3f24d9ea95426a0f2187b88d1573cf16d0570bbfde
Instruction Fuzzy Hash: B3E13D75A042088FCB19DF69C5C9AADBBF2FF89311F2588A9E4059B362D734DD81CB50

Function 02B26BBF Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 02B26C7F
4'^q, xrefs: 02B26CAA

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 9dc8b421bd9418885499e2a756f813fa410b8d6bb3a097b742ca122c3f3b4827
Instruction ID: 1984e86616964897e21bbe6b05c1b550604c09215a0c5af6ec9e7abe17609cc3
Opcode Fuzzy Hash: 9dc8b421bd9418885499e2a756f813fa410b8d6bb3a097b742ca122c3f3b4827
Instruction Fuzzy Hash: 66712CB0D102498BDB08EF6AE99179ABBF3FFC9304F14C529E404EB265DB3859069F40

Function 02B26BC8 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 02B26C7F
4'^q, xrefs: 02B26CAA

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 58d5f9cd33137b2e62ae9c66379eff2baa99bda0a54d59a0ecb85ae1051391c3
Instruction ID: e645125fd8a4476875f8a101bba6e06fc52ee9678b50dece577d4d22ec5bfd41
Opcode Fuzzy Hash: 58d5f9cd33137b2e62ae9c66379eff2baa99bda0a54d59a0ecb85ae1051391c3
Instruction Fuzzy Hash: 75711BB0D102498BDB08EF6AE98579ABBF7FFC9304F14C529E405EB264DB3859459F40

Function 05EBEFA0 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

Te^q, xrefs: 05EBF26E

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2c6bbcfb7eab26da6440d6236201f740ee4cd89780a759bdc565119d4998d6df
Instruction ID: 70a4426b724f904e6739b2528e687e081abb7db3eb3c5ad85b4c394848a6d9ac
Opcode Fuzzy Hash: 2c6bbcfb7eab26da6440d6236201f740ee4cd89780a759bdc565119d4998d6df
Instruction Fuzzy Hash: 07F10474E05218CFEB64CF69D984BEAB7F2BB49305F1091AAD45DA7254EBB05E80CF01

Function 05D9FBD0 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05D9FC5E

Memory Dump Source

Source File: 00000006.00000002.2238914072.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d90000_Networks!.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 109321661f635b22d597df7cfbca1ebd1ff00b7f2975b95b911c3899bfaed5c2
Instruction ID: a0a4af7ec998ce6e38a60528152510fe7add1583b655fca8cec7af10b7759af6
Opcode Fuzzy Hash: 109321661f635b22d597df7cfbca1ebd1ff00b7f2975b95b911c3899bfaed5c2
Instruction Fuzzy Hash: 4B31C8B4D012199FCF10CFA9D984A9EFBF1BB49310F20942AE819B7300C734A945CF94

Function 05D9FBC8 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05D9FC5E

Memory Dump Source

Source File: 00000006.00000002.2238914072.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d90000_Networks!.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 995f142c20f46ca9a351975288ebf90e7a5159e0bc77379fb011fbcd42500bda
Instruction ID: 305420fe6eb20e0bd8db245591eb7ef536345b3c97293665978826231f1997f0
Opcode Fuzzy Hash: 995f142c20f46ca9a351975288ebf90e7a5159e0bc77379fb011fbcd42500bda
Instruction Fuzzy Hash: 4A31C8B9D012199FCF14CFA9D985AAEFBF1BB49310F20942AE819B7300C774A9458F94

Function 05EBFB00 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

Te^q, xrefs: 05EBFB84

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 325218c6528709f91188f5fdf93d4aa51862d573212cf499d1e66463a32b8ddf
Instruction ID: be6816abeb88d9c92fa6014f6b4872eceb26bce936fe3d4ea59bae77998c818f
Opcode Fuzzy Hash: 325218c6528709f91188f5fdf93d4aa51862d573212cf499d1e66463a32b8ddf
Instruction Fuzzy Hash: E8A11774D04208CFEB14CFA9D984BEEBBF2BB49305F10A46AD459AB255DBB45D85CF00

Function 05A27C48 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

Te^q, xrefs: 05A27DF6

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: ef5f63fd2fe1d331f3f5dd9d50caef6d2c1b9fa384a232af93cff07cbe776262
Instruction ID: a8ce28a964d38357ec5d6f05469ddbae94c0b338d2b7ed971c4c217b18b262f9
Opcode Fuzzy Hash: ef5f63fd2fe1d331f3f5dd9d50caef6d2c1b9fa384a232af93cff07cbe776262
Instruction Fuzzy Hash: FCB1F474E09228CFDB24CFA9D945BADBBF2FB89300F1091AAD419A7255DB745A85CF00

Function 05A27C38 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

Te^q, xrefs: 05A27DF6

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 88197cad746594d9052730f3f8748905514ec974629cc04fd059cf501e49ed4a
Instruction ID: 80222bb5c459c5ad5eafd37e76538118c4a02fd8201f5786fb5757b1a0d5a907
Opcode Fuzzy Hash: 88197cad746594d9052730f3f8748905514ec974629cc04fd059cf501e49ed4a
Instruction Fuzzy Hash: 34B1F474E05228CFDB24CFA9D985BADBBF2FB89300F1481AAD419E7255DB745A85CF00

Function 02B5E707 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5a44e7d6d23b73da11c251427c8320fb024a939a6f3b42dc8f8d1afb40504d
Instruction ID: f6fc39f75045959433482e0cbd07d58477fa2a2b98ba3038a8429f50f9f81f6b
Opcode Fuzzy Hash: 8b5a44e7d6d23b73da11c251427c8320fb024a939a6f3b42dc8f8d1afb40504d
Instruction Fuzzy Hash: B7B14C74E05258CFCB14DFA4E494BADBBF1FB4A300F1481AAD809AB255DB389E85DF11

Function 02B59EF0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036e584bf44c17e4a21fd72c21504d59ee8af16269216d7106288d3b843e62ec
Instruction ID: 79b6f59aa17a71820f966ba5a6aef39e4114fb03b3751d1c8d2e751ca5ddccc7
Opcode Fuzzy Hash: 036e584bf44c17e4a21fd72c21504d59ee8af16269216d7106288d3b843e62ec
Instruction Fuzzy Hash: 9EB10574E05218CFDB54EF69E994BADBBF2FB4A300F1091AAD809AB254DB745D81CF40

Function 02B59EE1 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565a3d1c50a983a5e342aa50fd9a8ea3ba7ac38932d6aad55e4beb6601fd3f71
Instruction ID: af3721e8b8e6ab9eb8da9053329dd8ee5b3d406dccf2e5eeda93cf328c8693f9
Opcode Fuzzy Hash: 565a3d1c50a983a5e342aa50fd9a8ea3ba7ac38932d6aad55e4beb6601fd3f71
Instruction Fuzzy Hash: BFB10574E05258CFDB14EF69E994BADBBF2FB4A300F1091AAD809AB254DB745D81CF40

Function 05A26E88 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13fb5d15c1e54c720c2407c56fe3b43c9976bf42d6aa823e1ea93328d6e5a34
Instruction ID: 856f58708f346d44b86100802b8741d84caa3b91d235f9218d6833b4b8f2fb0b
Opcode Fuzzy Hash: a13fb5d15c1e54c720c2407c56fe3b43c9976bf42d6aa823e1ea93328d6e5a34
Instruction Fuzzy Hash: 32811570D0A228CFEB24CF69D946FADBBF2FB49300F1091AAD409A7251DB755A85CF11

Function 05A20040 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb42ef7d7411e39e919d66c8c82b7104a1f8b5ee262bb7e9a98efffb00b8bafe
Instruction ID: c9f6ca6c1076c54129fca585abfd3047c0d0a86c18a9d02bed5153e62c406f41
Opcode Fuzzy Hash: bb42ef7d7411e39e919d66c8c82b7104a1f8b5ee262bb7e9a98efffb00b8bafe
Instruction Fuzzy Hash: F341E870D052288BEB58CF6AC945BEDBBF7BF89300F14C1AAD40DA6255DB745A85CF01

Function 05C39E28 Relevance: 7.9, Strings: 6, Instructions: 402
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 05C39EFA
pbq, xrefs: 05C39F7F
4'^q, xrefs: 05C39EDC
4'^q, xrefs: 05C39EAC
(bq, xrefs: 05C39FF2
4'^q, xrefs: 05C39F72

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq$4'^q$4'^q$4'^q$4'^q$pbq
API String ID: 0-723292480
Opcode ID: 60f8762b3136169528d8852edfcd25eb258b0071dcb9eed4d651736dd1d66701
Instruction ID: 42c7f84c0a66223b107bac45b8bbd5ea43f9ee4398527dd7d8c307c3746dfd07
Opcode Fuzzy Hash: 60f8762b3136169528d8852edfcd25eb258b0071dcb9eed4d651736dd1d66701
Instruction Fuzzy Hash: 6ED17076A00119DFCB05DFA4C844E99BBB2FF88310F0684A8E509AB272DB32ED55DF40

Function 05C38F68 Relevance: 4.2, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 05C394BC
Hbq, xrefs: 05C3943D
Hbq, xrefs: 05C3946C

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq
API String ID: 0-2297679979
Opcode ID: e861c67b94d2574693fe43efabdf9ad0405738c81008394992b4a191540f1425
Instruction ID: ddcddf9c360d849aee0000f538a92ebe0eaf6165c2e488bebbdb810efe2ffcc3
Opcode Fuzzy Hash: e861c67b94d2574693fe43efabdf9ad0405738c81008394992b4a191540f1425
Instruction Fuzzy Hash: 00127170B006099FCB24DFA9C895A6EBBF2FF88300F148929E4469B351DB75ED46CB50

Function 05C3A820 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 05C3AA3A
4'^q, xrefs: 05C3AB19
4'^q, xrefs: 05C3AB99

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: 83de1c25d0595982c1d70036a714ea04330097d4e950af485f814ece3fb023e4
Instruction ID: 5cda69e18c9bebd7e81f62ed4133debdc66426218f7b2acd4daa844a6303ddf5
Opcode Fuzzy Hash: 83de1c25d0595982c1d70036a714ea04330097d4e950af485f814ece3fb023e4
Instruction Fuzzy Hash: 31F1A834A10118DFCB04DFA4D999AADBBB2FF88301F158559E446AB3A5DF71EC42CB40

Function 05C3F1F0 Relevance: 4.1, Strings: 3, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05C3F355
(bq, xrefs: 05C3F329
Hbq, xrefs: 05C3F381

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq$(bq$Hbq
API String ID: 0-2835675688
Opcode ID: 02e20fe62857a25da46b9d08912a494fd75a1e81ee92df270a20f5662cafc928
Instruction ID: 97d26bb49c1768d6473a274180a8fa477d3d959452adaf62abdc26f7f31345eb
Opcode Fuzzy Hash: 02e20fe62857a25da46b9d08912a494fd75a1e81ee92df270a20f5662cafc928
Instruction Fuzzy Hash: ECE13F34B00109DFCB04EF64D9959ADBBB2FF89300F108969E846AB365DB34ED46DB91

Function 059E0AB0 Relevance: 3.3, Strings: 2, Instructions: 847COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059E1549
4'^q, xrefs: 059E1559

Memory Dump Source

Source File: 00000006.00000002.2238196970.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_59e0000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 27948373e4ae5a9bc0540f04f4a290c3bf9577b1d1624e8c89b112a40f80f703
Instruction ID: f3e9d99eee674cea41b545d81735fb8f7990838a4443ad5b7b84ff6f047a58cb
Opcode Fuzzy Hash: 27948373e4ae5a9bc0540f04f4a290c3bf9577b1d1624e8c89b112a40f80f703
Instruction Fuzzy Hash: 12725BB4E08209DFCB16DBA9C849BEEBBB6FF49300F14846AE502AB391D7745841DF51

Function 05C3545B Relevance: 3.0, Strings: 2, Instructions: 550
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05C357E3
$^q, xrefs: 05C357D3

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 55f702345307a4e93300c653497b90f908ca2cbf59701f3343c5ffa668347357
Instruction ID: 5c6457f1e5bad57292c5d5054e6820f7ee2f050355cb1058d140742b0f5980ec
Opcode Fuzzy Hash: 55f702345307a4e93300c653497b90f908ca2cbf59701f3343c5ffa668347357
Instruction Fuzzy Hash: B3323735A102198FCF15DFA5D899ABDBBB2FF48700F148815E812AB394DB349E46DF90

Function 059E18C0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 059E1D56
4'^q, xrefs: 059E1D66

Memory Dump Source

Source File: 00000006.00000002.2238196970.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_59e0000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: e4b04d4484156278e6f953aa32de8ee09ea5420cf3954058e51d37f688827998
Instruction ID: 20a29d7458c0659f6ba96cef6a5d12a46d8c149505f8257e74405c34cc096b90
Opcode Fuzzy Hash: e4b04d4484156278e6f953aa32de8ee09ea5420cf3954058e51d37f688827998
Instruction Fuzzy Hash: 02F1C474E05208DFCB19DFA8E8996ECBBB6FF8A315F208529E406A7350DB755981DF00

Function 05C38618 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05C3862C
d, xrefs: 05C38879

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: 6d6fd343a48ae4569836c4de86d3b878cf289d09d812a94ae107eed8fe5abe45
Instruction ID: 0a698b65baa37fdcb631f63c95bc0573707fad491d2b66c8c431d32801eba492
Opcode Fuzzy Hash: 6d6fd343a48ae4569836c4de86d3b878cf289d09d812a94ae107eed8fe5abe45
Instruction Fuzzy Hash: 84D16A3460160ACFCB14DF19C485D6ABBF2FF89310B25C969E45A9B361DB30F946CB81

Function 059E2858 Relevance: 2.7, Strings: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 059E2AD9
4'^q, xrefs: 059E2AE9

Memory Dump Source

Source File: 00000006.00000002.2238196970.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_59e0000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 7c2601847608d330eaeeb6c4242b3ee1660fe089690c24c3a91fd29959828ae1
Instruction ID: 16415174283ae3d5d73def6f896e3b725ec633235cfcecd5b3338a524261b587
Opcode Fuzzy Hash: 7c2601847608d330eaeeb6c4242b3ee1660fe089690c24c3a91fd29959828ae1
Instruction Fuzzy Hash: 4691BE78E05208DBCF19DFA9D4886EDBBBAFF89311F50942AD416B7290CB755881CF20

Function 05C37048 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 05C371C3
(bq, xrefs: 05C3716C

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: faa7258632226590f40fa591b9ed0518b5a808262ee211d3b032206a398894cb
Instruction ID: af40bf4b119615a28ce515f30da17fdcb5933c26a7e33b200405f958ed16e39c
Opcode Fuzzy Hash: faa7258632226590f40fa591b9ed0518b5a808262ee211d3b032206a398894cb
Instruction Fuzzy Hash: 9F51AF313002198FCB15DF68D855AAE3BA2FF84341F248969F9068B391CF79DE56CB90

Function 05C34A88 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05C34C1D
(bq, xrefs: 05C34B8E

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 37d0c59f24b5d8c024d9e6f87f2eae8b3d5cc875ccf5826609a2ccf9ea1902d7
Instruction ID: cbc338bcb9d7be832963b21c7c91324b7a63811211c6a5f19799031773b3a730
Opcode Fuzzy Hash: 37d0c59f24b5d8c024d9e6f87f2eae8b3d5cc875ccf5826609a2ccf9ea1902d7
Instruction Fuzzy Hash: A05168347006148FC759AF29C4A9A2E7BB2EFD5344724886DE4468B3A1DF35ED06CB91

Function 05C311C0 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

(bq, xrefs: 05C312F8
Hbq, xrefs: 05C31324

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 9d7e6b5903e4264b9c190c64149106b7840a571d372a1db1721afff4fc4d738f
Instruction ID: e8fc342632ddd54f77937d2c5d75b666324433a2a269d9eec6edc6c3a166c373
Opcode Fuzzy Hash: 9d7e6b5903e4264b9c190c64149106b7840a571d372a1db1721afff4fc4d738f
Instruction Fuzzy Hash: E551DE712047458FD324DF6AC49171ABBF2EF85310F188A29E48ACB6D2DB79E949CB50

Function 05C39E01 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

pbq, xrefs: 05C39F7F
4'^q, xrefs: 05C39EAC

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q$pbq
API String ID: 0-3872760177
Opcode ID: 57f0597eba1c9c347938ce4465ccdf3a2cac615715760ea46626f3fe52ebf20a
Instruction ID: e8b9d0738185ddd094d877232355b60747ca674ad02ce157287e483f0b8b27fa
Opcode Fuzzy Hash: 57f0597eba1c9c347938ce4465ccdf3a2cac615715760ea46626f3fe52ebf20a
Instruction Fuzzy Hash: 7D41B3B0A043069FC705DF78C8417AFBBB3FF89304F148869E4499B256DB75AD468BA1

Function 02B5BBF9 Relevance: 2.5, Strings: 2, Instructions: 29COMMON

Download Yara Rule

Strings

%, xrefs: 02B5BB15
3, xrefs: 02B5BC04

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: %$3
API String ID: 0-2415910313
Opcode ID: ecc6308b20bc69c5952c8f103cdd33b1fd0a667da21d0c8941df2131b7bc0c57
Instruction ID: cfc8c3f392466b7e5fa06a7eb7be3838278e163f8f101f41c860a41ffe7de3d0
Opcode Fuzzy Hash: ecc6308b20bc69c5952c8f103cdd33b1fd0a667da21d0c8941df2131b7bc0c57
Instruction Fuzzy Hash: 7C01D278D8122BCBCB61DF64D844BACBBB1BB08308F0440E9E819A7250DB315E80DF45

Function 05C3B700 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,bq, xrefs: 05C3BA7B

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 3a0c7d25a6f2f9b493f105f73d8772e8caaa4a00aa5ca61165d3759c6411dac1
Instruction ID: df2f879c93f7bf3066011a53ee8335d0f3596c1643dc2240d56a659c05eb153c
Opcode Fuzzy Hash: 3a0c7d25a6f2f9b493f105f73d8772e8caaa4a00aa5ca61165d3759c6411dac1
Instruction Fuzzy Hash: F0521B75A002298FDB64DF69C991BEDBBF2BF88300F1584D9E509A7351DA309E81CF61

Function 05C36040 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_^q, xrefs: 05C362D0

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: b5502369387d28b8e7d28a00d67b983c0888af4145dab22d8650176a9334fa99
Instruction ID: bb010087e10698335e21c3e1419bb8c3ee551bf6e2528f6cee359953537bbca5
Opcode Fuzzy Hash: b5502369387d28b8e7d28a00d67b983c0888af4145dab22d8650176a9334fa99
Instruction Fuzzy Hash: 26228E71A10208AFDB04DFA9D495AADBBF2FF88314F148469E906DB391CB71ED85CB50

Function 05D9F9B8 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D9FA8B

Memory Dump Source

Source File: 00000006.00000002.2238914072.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d90000_Networks!.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 00aa7d8cc53fab353f8d18270b06f41c0d10ebb29fe6a0a3bc1fecde4831f20f
Instruction ID: f3c3077455e3b9b15056212f22df73373470480c64cce2ae95485b9be46fdeca
Opcode Fuzzy Hash: 00aa7d8cc53fab353f8d18270b06f41c0d10ebb29fe6a0a3bc1fecde4831f20f
Instruction Fuzzy Hash: 4841B8B5D012599FCF00CFA9D984AEEFBF1BB49310F20902AE819B7210D374AA45CF64

Function 05D9F9B0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D9FA8B

Memory Dump Source

Source File: 00000006.00000002.2238914072.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d90000_Networks!.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fabd21274edd45688d13bdc33b70812417f4cb72a1154c1f9057e23cfb2630a4
Instruction ID: 21f693ef4025db406dcac2bfa50928777ded2beac39fa36abca3f3c5822f223e
Opcode Fuzzy Hash: fabd21274edd45688d13bdc33b70812417f4cb72a1154c1f9057e23cfb2630a4
Instruction Fuzzy Hash: 7B41B9B5D012598FCF04CFA9D984AEEFBF1BB49310F24942AE819B7250D374AA45CF64

Function 05D9F858 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D9F902

Memory Dump Source

Source File: 00000006.00000002.2238914072.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d90000_Networks!.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0f4c00e8c1ba8e8e82cf73d17d38fc59c63922c5af2504bed19e0d382382e6f2
Instruction ID: 51a71a328a956522367fe1398728eaeff1661def7a04a4f12daec28e0e7da31c
Opcode Fuzzy Hash: 0f4c00e8c1ba8e8e82cf73d17d38fc59c63922c5af2504bed19e0d382382e6f2
Instruction Fuzzy Hash: 713197B8D00259AFCF10CFA9D980A9EFBB1BB49310F10942AE819B7210D735A941CF55

Function 05D9F851 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D9F902

Memory Dump Source

Source File: 00000006.00000002.2238914072.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d90000_Networks!.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 868c1489ec31ec2a0d313d2b5c9b5f1d13045e6b9b269f798a1caa834442a084
Instruction ID: 1e20086bd6fe0d323fdaa8f9a20119fea6a1aa63735ae6765d321ab4b32e0d05
Opcode Fuzzy Hash: 868c1489ec31ec2a0d313d2b5c9b5f1d13045e6b9b269f798a1caa834442a084
Instruction Fuzzy Hash: 4231B8B9D00259DFCF10CFA9D980AAEFBB1BB49310F10A42AE815B7210D734A901CF54

Function 05C4D938 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05C4D9DC

Memory Dump Source

Source File: 00000006.00000002.2238732596.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c40000_Networks!.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dfa1ad570eea1557ffe0bb05ebd4a0e31d113de1cb3f78680695a16291eb36b5
Instruction ID: 7dbc83c82e8fe914de621de72d50adb4e4a77d3d6e68de08279f9706e5cb08e2
Opcode Fuzzy Hash: dfa1ad570eea1557ffe0bb05ebd4a0e31d113de1cb3f78680695a16291eb36b5
Instruction Fuzzy Hash: D831A7B8D002489FCF10DFA9D984ADEFBB1BB49310F20942AE819B7210D735A945CF94

Function 059E0A94 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059E1549

Memory Dump Source

Source File: 00000006.00000002.2238196970.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_59e0000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 93c4f5db997a8a6b734e04595da890da0b3fef70bc4c370ac0a2849edf03c107
Instruction ID: d1f92302796bb02090c74e8592392cb069ca13fe17faade88ee434ebbf195455
Opcode Fuzzy Hash: 93c4f5db997a8a6b734e04595da890da0b3fef70bc4c370ac0a2849edf03c107
Instruction Fuzzy Hash: 53D1B4B09093889FD717DB78CC59B9A7FB9AF03304F1941D6E1809B2E3C6B85845CB62

Function 05D9B5F8 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE(?,?), ref: 05D9B692

Memory Dump Source

Source File: 00000006.00000002.2238914072.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d90000_Networks!.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8db50b00a95fe559fcfdd876cb339f64fde56caababcfa9ce9a7d536a712fc4d
Instruction ID: dcc1ecd797a8250b23fc36a86da27067bc86103f99b5900c1de3b6820bb92d69
Opcode Fuzzy Hash: 8db50b00a95fe559fcfdd876cb339f64fde56caababcfa9ce9a7d536a712fc4d
Instruction Fuzzy Hash: BD31CAB5D052589FCF10CFA9E980AEEFBF5BB49310F14942AE815B7200C734A946CF94

Function 05C3B6D8 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

,bq, xrefs: 05C3BA7B

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 131c69b637d76cc8e3c2e6f63bb7e67da56c0bf8ada3cead21e5ef83715eb34b
Instruction ID: 46d88df7f0a8da4880296d1a690c27a6a63d5e2da513b32a36c007874ca7e456
Opcode Fuzzy Hash: 131c69b637d76cc8e3c2e6f63bb7e67da56c0bf8ada3cead21e5ef83715eb34b
Instruction Fuzzy Hash: C2C150B5A001298FDB18DF68C995BEDBBF2FF88700F158099E509AB351DA709D81CF61

Function 05C3F790 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

(bq, xrefs: 05C3FA44

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 15129f134b2cb4cc1e7e28418c6f26c9dba9eb701504bb2581548a2ebc9a99d6
Instruction ID: a5580ced99c4befda1fa39b3fef55804babaa8e4121927250a744788a43cbb70
Opcode Fuzzy Hash: 15129f134b2cb4cc1e7e28418c6f26c9dba9eb701504bb2581548a2ebc9a99d6
Instruction Fuzzy Hash: B3A1B1357002049FC7199F68D855F6A7BB3FF89710F1588A9E10A8B3A2DB35EC42DB81

Function 05C367C8 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

Pl^q, xrefs: 05C369B0

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: Pl^q
API String ID: 0-2831078282
Opcode ID: 999e35cd9935aaed37d692b9eb08fc20f1f78f54f10267c2b8ea3066281877d0
Instruction ID: 2a335783161a1ba1f1a5f535cf3e97b512f8203fa246df3c6f26590e74c2f2db
Opcode Fuzzy Hash: 999e35cd9935aaed37d692b9eb08fc20f1f78f54f10267c2b8ea3066281877d0
Instruction Fuzzy Hash: 4791F470B002189FCB14DF69C484A6A7BF6BF89710B1184A9E506DF3B5DB71ED81CB91

Function 05C3A811 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05C3AA3A

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 434a2d22126f8d68ff2dc65a802fc98915fd7d9e7bcf57e6398012bb136d51ab
Instruction ID: f0a683048f2054b8d08d42a88f6bfdc88d0cd9434ce5d3d22e3eee94d845bf8b
Opcode Fuzzy Hash: 434a2d22126f8d68ff2dc65a802fc98915fd7d9e7bcf57e6398012bb136d51ab
Instruction Fuzzy Hash: 00A1CC34A10118DFCB04EFA4D999AADBBB2FF88300F558559E446AB365DF70EC46CB90

Function 05C31770 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

(bq, xrefs: 05C317E4

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d6f95448f75cabb51675384813e5283c15f7a6e9f8e8054bb30965de4d9648f3
Instruction ID: 15f70f465a959501eae34e984f9f8cfe4bdddbd5a7d21af27e47d4ead24d4c6d
Opcode Fuzzy Hash: d6f95448f75cabb51675384813e5283c15f7a6e9f8e8054bb30965de4d9648f3
Instruction Fuzzy Hash: F751D035B0061A8FCB10DF59C484A6AFBB1FF89320B1A8A6AE91597341C730F952CBD5

Function 05C307C0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

pbq, xrefs: 05C30870

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: 8bdb704bb37497a21b51d58388c88152ded05f260e5c23dc54506cba59545700
Instruction ID: 67eaca6abe9ad231628df2996da598afbd79c50fe6e18aec560286502071081f
Opcode Fuzzy Hash: 8bdb704bb37497a21b51d58388c88152ded05f260e5c23dc54506cba59545700
Instruction Fuzzy Hash: 15515C76600104AFCB459FA9C855D29BFF7FF8D31471A8494E2099B272DA32DC21EB51

Function 05C3E8B8 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05C3E902

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f458559fb00a57e18faa1622c90e487cb167ef64b5ef57c884dd41923b78cbab
Instruction ID: d96333520237f95e5d635697a1d071e508a30a480f9bb75eaad8d49f2f48c08a
Opcode Fuzzy Hash: f458559fb00a57e18faa1622c90e487cb167ef64b5ef57c884dd41923b78cbab
Instruction Fuzzy Hash: 92413234B106198FCB04EB64C899AAE77BBBFC9700F10482AE4479B394CF749D56DB91

Function 02B2E6D8 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

TJcq, xrefs: 02B2E767

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 3e18d3cad307f060c0318397b3355829b36cb7f0180c98f44d6f47fff9f014e9
Instruction ID: 986db4e9138f4ed720dfc0949110f1d251b3a866b74fca5467ac9d1e2edcafd0
Opcode Fuzzy Hash: 3e18d3cad307f060c0318397b3355829b36cb7f0180c98f44d6f47fff9f014e9
Instruction Fuzzy Hash: 0E51E678D00218DFDB04DFAAD9586ADBBF2FF89300F108569E919A7364DB34A949CF41

Function 02B5B138 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

%, xrefs: 02B5BB15

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: c79d0db68b8057a3bcdc042e91383f9e04eed35ec1fe4b83ee1ba3476882a230
Instruction ID: dc1d4020991dbe6418ae382f2ea37cde704ed0fad52b19bdc33652e95857b9d4
Opcode Fuzzy Hash: c79d0db68b8057a3bcdc042e91383f9e04eed35ec1fe4b83ee1ba3476882a230
Instruction Fuzzy Hash: 4341F574D05229CFDBA4DF69D844BADBBB2BB88304F0080EAD809BB254DB355A85CF54

Function 05C4EF00 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05C4EF9F

Memory Dump Source

Source File: 00000006.00000002.2238732596.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c40000_Networks!.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efa5b775d7cdfa86653ffdda9b8c087e39564c912618deeff0dd2f5e275f9ab8
Instruction ID: 48ff9d55fd37a0e170671da366e14ce5e680881d26739877473187c6848a2ab6
Opcode Fuzzy Hash: efa5b775d7cdfa86653ffdda9b8c087e39564c912618deeff0dd2f5e275f9ab8
Instruction Fuzzy Hash: DB31A7B8D042589FDF10CFA9E884ADEFBB5BF49310F20942AE819B7210D735A945CF95

Function 05C31068 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

(bq, xrefs: 05C310B8

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e1ce386a2a3230f76517debae5f312f6413c6f27443377ae70ec578286177706
Instruction ID: f0d7aeb542e436fc45766becbc713e971a4b40c66594980cbe8a8bb4902a71c8
Opcode Fuzzy Hash: e1ce386a2a3230f76517debae5f312f6413c6f27443377ae70ec578286177706
Instruction Fuzzy Hash: B421E1363042559FDB159F6DD884A6E7BA6EFC9320B14847AF909CB3A0CE319D11CB90

Function 05C39C91 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05C39CD9

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d4c30a17268f4f993652bedf25e42d9f88b6a8f8f177b7e84ecfae6f4dfe0494
Instruction ID: 39db16de6601426dd78332e64e097e49fb47be626b7441075f2986f90ab75486
Opcode Fuzzy Hash: d4c30a17268f4f993652bedf25e42d9f88b6a8f8f177b7e84ecfae6f4dfe0494
Instruction Fuzzy Hash: 90318272A10105AFCF049F98CC45E69BFB7FF8C710B0544A9EA0A9B365DA71DD12CB90

Function 05C353A0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05C353DA

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: c5cc445e06021790535f6613b2194ff0078ea90dee0341f2a0afa1f2623ccf07
Instruction ID: 6b70c5ddf213d57b631de7f4f8d59d1a2ff4c12b70c556ea97736ccd5c34a646
Opcode Fuzzy Hash: c5cc445e06021790535f6613b2194ff0078ea90dee0341f2a0afa1f2623ccf07
Instruction Fuzzy Hash: 8A218B753082489FCB05CF2AC845AAA7BFAFF89311B144495FC05CB3A1CAB1DC51CB20

Function 05C35390 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05C353DA

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: c0154146e5f3459f3256e21d670822e07604c14403111718aeb1af79c58234e9
Instruction ID: 080e3d6b0dd72de1a36396ba8e0b3a7cc5388faa8f43a3db5c8d3465da761c0a
Opcode Fuzzy Hash: c0154146e5f3459f3256e21d670822e07604c14403111718aeb1af79c58234e9
Instruction Fuzzy Hash: D02158753082489FCB15CF2AC845EAA7BFAFF8A211B154496F905CB3A1CA70DC51CB20

Function 02B5B769 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

?, xrefs: 02B5B7EA

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: b265edb1b257b0cada7b0a1a86b75203bccdc8e295527d872beeb560993c3ee0
Instruction ID: c36f674f53959184564851f9af56cddbc439a46cd9f2e06909bed184ff558b50
Opcode Fuzzy Hash: b265edb1b257b0cada7b0a1a86b75203bccdc8e295527d872beeb560993c3ee0
Instruction Fuzzy Hash: 92218AB4D05229DFDB61CF64C899BECBBB2BB08304F0442EAD909AB254DB755AC1DF50

Function 02B5BC5A Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

8, xrefs: 02B5BCC6

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 66fc0533bdc4cb12491e96ec3c59060a320132d95d3adf6a1b7dd84104f73705
Instruction ID: 3556aee0ef038e6c7422435b6fd56dcdba9d689b54570a7c00645f3e27fadc84
Opcode Fuzzy Hash: 66fc0533bdc4cb12491e96ec3c59060a320132d95d3adf6a1b7dd84104f73705
Instruction Fuzzy Hash: 3521AF7494122D8FCBA0DF64C888BEDBBB1BB48304F1041EAD809AB254DB355F81DF51

Function 02B21C11 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

8bq, xrefs: 02B21C3D

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 20b82aaf7299e3f5d1b87198e71269de9d69140ca58e5d1187b7d57d8ecdc3a8
Instruction ID: 43ed485ff8f6209911c00b4015d2c7270b046d935aa17e98e7b347a645918823
Opcode Fuzzy Hash: 20b82aaf7299e3f5d1b87198e71269de9d69140ca58e5d1187b7d57d8ecdc3a8
Instruction Fuzzy Hash: 8D01C0786193508FC702EB2CE844BA577A2AB85300F1894F9E40DCB2ABCB395C49DB42

Function 02B5B827 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

%, xrefs: 02B5BB15

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: a359b398fdf07e3c1eb1a204dc91a79adcd3d8e230e71ffa9deaa56e5ee2198d
Instruction ID: 252fbbb06d640f5f7d41bb9c7bdc50c38f6cefc19702e0671b32d023fc515800
Opcode Fuzzy Hash: a359b398fdf07e3c1eb1a204dc91a79adcd3d8e230e71ffa9deaa56e5ee2198d
Instruction Fuzzy Hash: 28119374D4122BCFDB64DF54D944BACBBB1BB48308F0481EAE819A7254E7355E80DF40

Function 02B5B362 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

$, xrefs: 02B5C238

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 0c577be30be56f28cdce7d4262c3f8dcfbe49db01a98e8776b9e8b9629a6792a
Instruction ID: 8feed8552f18145dc6cd8212372b245b127793260e38768c794a4ae178369699
Opcode Fuzzy Hash: 0c577be30be56f28cdce7d4262c3f8dcfbe49db01a98e8776b9e8b9629a6792a
Instruction Fuzzy Hash: 6411B0789052298FCB60DF64C988BDCBBB1BB09304F0481DAD84DB7255DB329E85DF40

Function 05EA6FED Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

M, xrefs: 05EA6FFA

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 50ef6ae33764553d38f1eaf02097adf7a3f1709b84d38daa5d4d8fbd06d69673
Instruction ID: d845ce8df8d37a97d7d2495e1435c0a920c7048f311c4f999057745761efde60
Opcode Fuzzy Hash: 50ef6ae33764553d38f1eaf02097adf7a3f1709b84d38daa5d4d8fbd06d69673
Instruction Fuzzy Hash: 3501C2B4A00228CFDB60DF24D888BE8B7B2BB19304F1098E5E499A7640DB746FC4CF11

Function 05C3C9B9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

E, xrefs: 05C3C9C1

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 4c2b1a70a7096637d2ce89f6fec6d2894394307108b6f9a0b118bcab7c427177
Instruction ID: ef25a1853821515a4461645a8788980bd2aea81bc7a7fff4e3ae81cdd3e6a0de
Opcode Fuzzy Hash: 4c2b1a70a7096637d2ce89f6fec6d2894394307108b6f9a0b118bcab7c427177
Instruction Fuzzy Hash: C2F0277560020C4BCB94DF78E8850CC7F21FF49A65B4046AEE90893242C7344E0E8B40

Function 05A22704 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

N, xrefs: 05A22712

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: e8865d789403acfd264aa9f67afa2fc4edb1a7cdf3309ff02c51879e7f02aa68
Instruction ID: a51498f0cbb94da9193c12226486a434c0f8172c1396cf6b0ea5495661cfb96f
Opcode Fuzzy Hash: e8865d789403acfd264aa9f67afa2fc4edb1a7cdf3309ff02c51879e7f02aa68
Instruction Fuzzy Hash: CA01C474E01228CFDFA0DF68D889FADBBB6BB49314F1095A6C419B2610DB744AC1CF15

Function 02B5B3EE Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

', xrefs: 02B5B442

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: c8db0398accbde205104252178878bfcab9fc5af542a693e28f9d841524f75fd
Instruction ID: bc7973ed02ba318ca7e41383901fa776c551000e3da1e1ced3aff85d6fff4ceb
Opcode Fuzzy Hash: c8db0398accbde205104252178878bfcab9fc5af542a693e28f9d841524f75fd
Instruction Fuzzy Hash: 10F07474946228DFEF61DF64D894BDCBBB1BB08300F1041DAE909A6390D7369E809F00

Function 02B5C096 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

4, xrefs: 02B5C0A4

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 38aa95c85266bcb02369750ea48ffd9124707e5e8dcf2c149c7ed72456dc28e6
Instruction ID: 073e0a84354b4a9ff8920dbbd2a6f681ca1548e49f0d4148a631cf0238879136
Opcode Fuzzy Hash: 38aa95c85266bcb02369750ea48ffd9124707e5e8dcf2c149c7ed72456dc28e6
Instruction Fuzzy Hash: 3EE0B67090922C8BDB60DF64C9487A9BAF0BB06318F0052D9848D66255CB360AC9CF11

Function 02B5B916 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

(, xrefs: 02B5B947

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ab8c1c8e7e95c037344be1249807aa4587adb6ef7abe6de67d7383e7ad82e7f4
Instruction ID: 51d5043184c7aa501a92e25b7a4ef7c9db50703333ca78df3441f384991f580e
Opcode Fuzzy Hash: ab8c1c8e7e95c037344be1249807aa4587adb6ef7abe6de67d7383e7ad82e7f4
Instruction Fuzzy Hash: 99E09278904229CFCB50DF60C948B9CBBB1BB48309F1482EA8809A7351D7369A86DF40

Function 05A28D02 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

A, xrefs: 05A28D31

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 3b30887fa4dea32153be783d34c22b80336f88c231c5f450a0aa1eb6bf838555
Instruction ID: dadf0cf00dd59e6a688693e973815674acad8272ab4639732e1c667c1b95e33c
Opcode Fuzzy Hash: 3b30887fa4dea32153be783d34c22b80336f88c231c5f450a0aa1eb6bf838555
Instruction Fuzzy Hash: 35D017B4B1426A8FCB00FB24E90879AB7F6BB85300F508A84D8499A244DBB88D818F51

Function 05C3EB08 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f43d23eb29b3af86fd6c523d7cd8cc8fa47632d2bd5f86587a7801bbe4832fa
Instruction ID: a8b390859ed1b7441953d4ed9f414ea150f4468447647b81988ee46c6a8adc52
Opcode Fuzzy Hash: 9f43d23eb29b3af86fd6c523d7cd8cc8fa47632d2bd5f86587a7801bbe4832fa
Instruction Fuzzy Hash: 03120A34B102198FCB14EF68C995BADB7B2BF89300F5189A9D44AAB355DF30AD85DF40

Function 05C31EE8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc64b6fe36b228d5aa24a4448652820182dc9b07e94bc5b5c6cae42bda1ba72c
Instruction ID: 8375997be6cf7d92c7e71fb4c77fd72b062b700ab94bf07efc2f8ac681251c8e
Opcode Fuzzy Hash: fc64b6fe36b228d5aa24a4448652820182dc9b07e94bc5b5c6cae42bda1ba72c
Instruction Fuzzy Hash: 9A917C39B112089FCB15CF69D99AAADBBB2FF88311F148469E902A7350CB31DD45CB50

Function 02B598DB Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff4e0ebe43c6352f4550b8a9d288d7a7c63354d6852556f09b0193f32436794
Instruction ID: 390b75a81cf16234921f3dfd172135d834a5ad261b9d2b7033979237f4dac8d6
Opcode Fuzzy Hash: 6ff4e0ebe43c6352f4550b8a9d288d7a7c63354d6852556f09b0193f32436794
Instruction Fuzzy Hash: 38C1E774E01268CFDB54EFA4E854B9DBBB2FB49300F1081AAD909AB355CB386D85DF50

Function 05A23896 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8820b80d8bba798391a0bb011bf6dd7dda3359ac76c2b90aa7d42e279be950fc
Instruction ID: f0ef946603180e410d0383f113ace567331966e5a1b3eb838dc3b792dde3454d
Opcode Fuzzy Hash: 8820b80d8bba798391a0bb011bf6dd7dda3359ac76c2b90aa7d42e279be950fc
Instruction Fuzzy Hash: 43A10774E05268DFCF14DFA8D556AADBBF2FB4A301F20846AE415EB641C7389A42DF10

Function 02B59A03 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6452c23535eb3bc947301afbd057cb0d11d2e547c60660968cf5c359faeb07
Instruction ID: 26deae6a2480e7fdd9b09c006d806fd1ac3f3552ab15be127cb369897f869432
Opcode Fuzzy Hash: 2c6452c23535eb3bc947301afbd057cb0d11d2e547c60660968cf5c359faeb07
Instruction Fuzzy Hash: 52B11774E01268CFDB54EF64E854B9DBBB2FB89300F1081AAD909AB355CB385D85DF50

Function 05C3EAFB Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5832a104df210e8c4dc7f6a17aa9fc00b61ffc21e89302bd916db084d7212d02
Instruction ID: 41af95f84bf16928de2d22abf26d8a9ccf2fbcdaef1b5c8d783cf70fc1d6c20f
Opcode Fuzzy Hash: 5832a104df210e8c4dc7f6a17aa9fc00b61ffc21e89302bd916db084d7212d02
Instruction Fuzzy Hash: 98A12D34B002198FCB14DF24C999BA9B7B2BF88300F5089A9E54AAB365DF74DD85DF40

Function 05C3FAB0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10490d049777d3af582e77d795bc2a7a744da628fae75429f69fc9ed21715259
Instruction ID: cfa3526a2b8279590d80bf736184ab6d6d016e551fe257e671f2691dc518a00b
Opcode Fuzzy Hash: 10490d049777d3af582e77d795bc2a7a744da628fae75429f69fc9ed21715259
Instruction Fuzzy Hash: 9C811C34B50118DFCB14DF68D899A6DB7B6BF88700F148869E8069B3A1CB74ED41CB90

Function 05C37528 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5515cc3469a7effcc226a032ecc16b4663cf2c271b64acd2257bf5c29e99725c
Instruction ID: 79088c4470e71d99fa2bd1ad3524c28207582457f6737d39eba43567e6125957
Opcode Fuzzy Hash: 5515cc3469a7effcc226a032ecc16b4663cf2c271b64acd2257bf5c29e99725c
Instruction Fuzzy Hash: EF811CB5A00618CFCB15DFA9C485D9DBBF6FF49310B1585A9E8069B360DB30EE41CB90

Function 02B59628 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e821fa14d9d739e8938b0b5f3128d638bf8c83f693f52eccecfa69a0ac35415
Instruction ID: 31e2871e26173e8b7bbf6e6248974c3b57f5bf3896edabf4b64ae89cc3a7fadd
Opcode Fuzzy Hash: 1e821fa14d9d739e8938b0b5f3128d638bf8c83f693f52eccecfa69a0ac35415
Instruction Fuzzy Hash: 53911874E05268CFDB14EF95E854BADBBF2FB89300F1081AAD909AB254CB385D85CF51

Function 02B59618 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00427c3fb5c9a4759104f907a38797fb3447e9ac64699a8ffa6781c99ab060ae
Instruction ID: bba669032223839c120112e6f25247fad7eeb528628085dbbfbe6d6e786687f7
Opcode Fuzzy Hash: 00427c3fb5c9a4759104f907a38797fb3447e9ac64699a8ffa6781c99ab060ae
Instruction Fuzzy Hash: CC910774E05268CFDB14EF95E854BADBBF2FB89300F1081AAD909AB254CB385D85CF51

Function 02B59B82 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cd7aa53be7163dcac187285de10717a02c8eee4a308bdac368d6965bd0a488
Instruction ID: 3417e9cf8a6c19892a53b6cd9d600cc4f2de90bf6b8810cd8e1003b80815ca58
Opcode Fuzzy Hash: 09cd7aa53be7163dcac187285de10717a02c8eee4a308bdac368d6965bd0a488
Instruction Fuzzy Hash: 6C91E874E01258CFDB54EF94E854B9DBBF2FB49300F1081AAD909AB254CB385D85CF51

Function 02B596A2 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247dde40862a446335bcdb44e264890c743faee3008f15b8f82ee484c70b4da5
Instruction ID: 2c48b5285d4e463eb176945562a9b66f669f5aefdf672387e80ba6007432db59
Opcode Fuzzy Hash: 247dde40862a446335bcdb44e264890c743faee3008f15b8f82ee484c70b4da5
Instruction Fuzzy Hash: 5F710974E05268CFDB54EF94E854BADBBF2FB49300F1081AAD909AB254CB385D85CF51

Function 05C3FAA0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3895831cbf2b31507bdd35c20e84170d654ee4646e169120221862ef774c71dd
Instruction ID: 19ee078e9e6ff5eb28f5a43d652b81cdeeed945c1ec04aa61527502eee41e188
Opcode Fuzzy Hash: 3895831cbf2b31507bdd35c20e84170d654ee4646e169120221862ef774c71dd
Instruction Fuzzy Hash: B2612B34B10618DFCB14DF68D899AADB7B6FF88700F158969E8069B365CB34ED41CB90

Function 05C3A3F0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3025f6a498a96b1adb8bbaeec930e140d81907695d79634b4eb805305888279f
Instruction ID: 85d8088bc00c8034207d68c24dc61787065da57410ed5f92da603dd3210821e7
Opcode Fuzzy Hash: 3025f6a498a96b1adb8bbaeec930e140d81907695d79634b4eb805305888279f
Instruction Fuzzy Hash: 8F516334B20509DFCB04DF68E859AADBBB6FF88B11F10851AF90697364DF349946CB81

Function 05EB8D88 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490480eb792ec5097bc044ff083ccdce72c1728c3a1b585ec39ae392458eb5eb
Instruction ID: 6ff9559d353bc5baec2600a54344d5634564f42e213e8fdbddb8109981d2e564
Opcode Fuzzy Hash: 490480eb792ec5097bc044ff083ccdce72c1728c3a1b585ec39ae392458eb5eb
Instruction Fuzzy Hash: BF5102B4E08228DFEB04DFA9D8446EEBBBABF49306F10A42AD415B3350D7B55945CF50

Function 05A27988 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1681a923c5d230c94dcd5a0252c9cf44a3d28ac16dac279d856b21810d63a5e
Instruction ID: 4b12ba03762d6b5a51c7868233fb3ab8693555350500f8083f521dd63adbf7d3
Opcode Fuzzy Hash: f1681a923c5d230c94dcd5a0252c9cf44a3d28ac16dac279d856b21810d63a5e
Instruction Fuzzy Hash: FC51B274D01218DFDB18DFA9D585A9DBBB2FF89304F20812AD41AAB350DB359A42CF41

Function 05A27978 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c6f8ea4ee527cb8cda2e1c1961625aad1bde95dac516cd4bd0521df9ce740c
Instruction ID: a23aa603adfb5e5a80b221d166be1d6e50515dbc209ccbf51c525fc80652d10f
Opcode Fuzzy Hash: 28c6f8ea4ee527cb8cda2e1c1961625aad1bde95dac516cd4bd0521df9ce740c
Instruction Fuzzy Hash: 8D41D270D01218DFDB18DFB9D595AADBBB2FF89304F24912AD419AB261DB319942CF40

Function 02B21990 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a497fab2e3488f506d879af4d288e564d6227d2212c62f1e2579a4e6e90687cc
Instruction ID: aaa437c615415f6bd4c69a6eb8b7a0be480f970c060855ff8ef18a74f33945fb
Opcode Fuzzy Hash: a497fab2e3488f506d879af4d288e564d6227d2212c62f1e2579a4e6e90687cc
Instruction Fuzzy Hash: 70418D30A14310CFC711DB68D0847AEB7B3EB81300F5582B9C14EAB29AC7759E8ACB81

Function 05C3FDB8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742e1f3438b4c275c7748a824dc44d21d8d6195ebfbe59692da6f6f9c29ab0ed
Instruction ID: 5569e8bf3634b08c515e87c1767cd88b75b8f6112f310f44c233016e3048ca95
Opcode Fuzzy Hash: 742e1f3438b4c275c7748a824dc44d21d8d6195ebfbe59692da6f6f9c29ab0ed
Instruction Fuzzy Hash: 6A414B35A0011CDFDB04DF64D956AEEB7B6FF88310F148469E806AB360DB349E16DBA0

Function 05C3D3D0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2631c37120ece3ecca7d0378c79fe2929629a925dece004c8cc0e33a5818816
Instruction ID: ed396b7a2bdb22c0169aee8074c68b050141496bc37885feab7337faf3b0c47e
Opcode Fuzzy Hash: c2631c37120ece3ecca7d0378c79fe2929629a925dece004c8cc0e33a5818816
Instruction Fuzzy Hash: 8931F7366101089FCB05DF69D889EA9BBB2FF48320B1644A9E90A9F372C731ED55CB40

Function 05C32389 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571feb4d80253c53efcfd3bcb8be9da873106007b575aabebac7ecbb48951663
Instruction ID: d36e0565e8c471f8e96378bc907b0b2cc85c6a5a5209490114a543d67b07dbef
Opcode Fuzzy Hash: 571feb4d80253c53efcfd3bcb8be9da873106007b575aabebac7ecbb48951663
Instruction Fuzzy Hash: FA416A75A102198FCF14CFA9C946BBEBBB2FF88300F01886AE556E7251D735DA45CB90

Function 02B219A0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71872da8c1d22f320f3d69dcf3d45ffc8d6666045ac313b10225d1b5f402e125
Instruction ID: fddc3a376b3aebbd65661e888ca4ea6e200718bc6b629cae90dbd994aef72a44
Opcode Fuzzy Hash: 71872da8c1d22f320f3d69dcf3d45ffc8d6666045ac313b10225d1b5f402e125
Instruction Fuzzy Hash: 98413A34A10215CFC715EF98D1847AEB7B3FB84305F5082B9C50DAB39AD7759A8ACB81

Function 02B21D08 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa41efa3e5090075e719d3a6af103fe34bda6aeefcae446dc8e66cfe7fac27d2
Instruction ID: 9192035e601a25ac23aa1cc337034524e1fc07e7998a11498f1f8eac1d9d294b
Opcode Fuzzy Hash: fa41efa3e5090075e719d3a6af103fe34bda6aeefcae446dc8e66cfe7fac27d2
Instruction Fuzzy Hash: F7312A38A24254CFCB05DB68D894A99BBF2EF89310F1585E6E849AB362C734AC45CF51

Function 05C34A79 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b03b27efee85b33f338f84ed72667a9dc6629fcccaefd21f83f0980709b182b
Instruction ID: 97f5964fd7f0b7edf925e971db690f9ee69bc05b699834aa70c403d13b7c5014
Opcode Fuzzy Hash: 9b03b27efee85b33f338f84ed72667a9dc6629fcccaefd21f83f0980709b182b
Instruction Fuzzy Hash: E8317034700604CFC729AF25D499A2ABBB7FF85305B14886DE8468B360DF75ED46CB50

Function 02B2FD60 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04224cb12edecb1939ccdbcb5b44053c6c72e7901efd194cbf24b3ad61ec0d6
Instruction ID: bc4b1a65b9c0c56e8859990b3d522c3dd9eb5f204e21e10d594ac85155e9a0ef
Opcode Fuzzy Hash: e04224cb12edecb1939ccdbcb5b44053c6c72e7901efd194cbf24b3ad61ec0d6
Instruction Fuzzy Hash: A83102B4E04218CBCB04EFAAD8446EEBBF2FB88300F10C4A9D819A7754D7385A45CF90

Function 05C3B190 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e23d740cd110bddd4e580858882be3e47baa03c1fd28986fc6845f2e9df6998
Instruction ID: 764ef9e6643c14fc00e668e751e54fb14803299c5cf32981e2e04933d1f6cc31
Opcode Fuzzy Hash: 9e23d740cd110bddd4e580858882be3e47baa03c1fd28986fc6845f2e9df6998
Instruction Fuzzy Hash: 8421D7323042088FC725DBADE985A6ABBA5EFC5315B15897BE04EC7251DB31EC02C790

Function 02B26A6B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31bec1db742029a7cf4e9f56be755ca096a268d8a8c04010e9b237e0a47d493
Instruction ID: e4e92fb1071354dd1e25d7d52d2e2d9630b12c8622e91d7f8f8524c59a5c221f
Opcode Fuzzy Hash: a31bec1db742029a7cf4e9f56be755ca096a268d8a8c04010e9b237e0a47d493
Instruction Fuzzy Hash: 673138B49092989FDB01DFA8D44839DBFB5FB06304F5882DAE418A7292D7384A89DB01

Function 05A27BCA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd137be7b283bb1abf31dbf96bc05eb8c64ddf3c1ab7f90b6dd4875af914a6a
Instruction ID: ed8b1146bee0aafd4ca3274c3cb5d253255ca53a0753a8ced9216791d4a7c69e
Opcode Fuzzy Hash: 6bd137be7b283bb1abf31dbf96bc05eb8c64ddf3c1ab7f90b6dd4875af914a6a
Instruction Fuzzy Hash: EB3136B1D4921DDFCB40DFA8D856BEEBBB1FB49304F1041AAD459EB251EB304A42DB81

Function 02B533E8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad42ab57dbd19cc9c8530e08598682abc22ee71d83060e33fc9c48a943b853c
Instruction ID: 925fa08f04bedd74678c14882218e1e0e9b05c71cb6dfaddd6dbfa5c00bdb9d6
Opcode Fuzzy Hash: 2ad42ab57dbd19cc9c8530e08598682abc22ee71d83060e33fc9c48a943b853c
Instruction Fuzzy Hash: 0C310574A04228CBDB51DFA8D8447EDBBF5FB49340F0485EAD80AAB341D7799985CB41

Function 02B26E80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a1b172fce72df88e01bd4cca8e226118e043b2be260ceedc68e82ba0b4623c
Instruction ID: bd2885f6a354ebfe050bd127ed26a1c1e2dc302a0bdef11ceea0f8f196b5fe97
Opcode Fuzzy Hash: 90a1b172fce72df88e01bd4cca8e226118e043b2be260ceedc68e82ba0b4623c
Instruction Fuzzy Hash: 6131D2B4D00219CFDB04EFA9C545AAEBBF9FF49300F1485A9D819A7264EB349A48CF51

Function 02B26E78 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49509230e290f43f478ea096c7dd2d4d8f430a98013f077f2a66a6d2cbcc1ebc
Instruction ID: 07c569fe63698a5a7e7e9a7018e4bb01ca3a3d7374b780207127963e0eba97b5
Opcode Fuzzy Hash: 49509230e290f43f478ea096c7dd2d4d8f430a98013f077f2a66a6d2cbcc1ebc
Instruction Fuzzy Hash: BD31E4B4D00219CFCB04DFA9C54969EBBF5FF49310F1485AAD819E7264EB349A48CF91

Function 05C3480F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a7c292d2d9410e26ec7308b41f317d5a82fc90bb733172485e381c5ea52fa6
Instruction ID: c997c8adaab4eb065a3183129f40f7bd44caa0eeeb4eddbd3050e73e9e8b7c2c
Opcode Fuzzy Hash: 43a7c292d2d9410e26ec7308b41f317d5a82fc90bb733172485e381c5ea52fa6
Instruction Fuzzy Hash: 1B217C31E04299DFDF04DB79C489BAEBBF5AF44244F108866D519D7290E734CA50CB92

Function 02B21DA1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18d4adc575dec821cce356204bea4dddaf0db8278c8a0ae223183bed4b23d8a
Instruction ID: 26e01eb07913caa6198c6676065ae22cf8175fa2792d072ac08095a8adb68365
Opcode Fuzzy Hash: d18d4adc575dec821cce356204bea4dddaf0db8278c8a0ae223183bed4b23d8a
Instruction Fuzzy Hash: D031B038A20224CFCB44DB58D584AA8B7F2FF88351F2585E5E809AB366C734AC84CF51

Function 05C33CC8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d527cc34aeaf3c013a1f8e78d6c299da15405141509b56ad1e65ff3da206c363
Instruction ID: 1de560932655b980e62a70ecce94ba0f958fec839f4c60dc4417517f7334f8e9
Opcode Fuzzy Hash: d527cc34aeaf3c013a1f8e78d6c299da15405141509b56ad1e65ff3da206c363
Instruction Fuzzy Hash: 4221D232B101598B8F10DF79E8464BEB7BAFF84A617204C76E416D7250DB38DD05C760

Function 05A2E9F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad87e33cd77d5d9fa9bb05eab8d8feb8dc2ccb80cbe12ba6d69230ead3fb048f
Instruction ID: facd2483363425654a2eb7bed1c26416e569cbc19d37ac98b4606c6d784d6723
Opcode Fuzzy Hash: ad87e33cd77d5d9fa9bb05eab8d8feb8dc2ccb80cbe12ba6d69230ead3fb048f
Instruction Fuzzy Hash: 0D31D2B0D05218DFDB04CFA9D946BBEBBFABB48301F14916AD419B3250E7345A81CF64

Function 00FBD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2212316602.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fbd000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18fbb9902ceb53f467367a8d7b06d4107497900b27eb7f0f2ffd0167dd36504
Instruction ID: 167810e4eed723310d9c70fe17b11d66b2abe7b7ae6d06c252c2497086108b19
Opcode Fuzzy Hash: a18fbb9902ceb53f467367a8d7b06d4107497900b27eb7f0f2ffd0167dd36504
Instruction Fuzzy Hash: 592125B6904244DFCB14EF14D9C4B66BF65FB84364F24C569E9090B24AD336D806EBA3

Function 02B26A88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1fdc3d2298029493eff833bc4b76e28d6b8c6e225725fe40961ea5f84cce4b
Instruction ID: 53ce91e32a14cf22f7c1d785f88bb7a12fc6f508c37ec8c46f58d848dfe496e5
Opcode Fuzzy Hash: 2c1fdc3d2298029493eff833bc4b76e28d6b8c6e225725fe40961ea5f84cce4b
Instruction Fuzzy Hash: C83127B4D00218DFDB00EFA8D0487ADBBF9FB4A304F54C1AAE419A7251D7784A89DF41

Function 05C30F68 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045cab73f2e849486fed4503ac2950b5d48efa8a7446802b4cd64a4b96bb7270
Instruction ID: 7f46980c547bbe64eeb1c3cf1bf61b8753c64f0c8138bd5ad4f150b92deb2c0c
Opcode Fuzzy Hash: 045cab73f2e849486fed4503ac2950b5d48efa8a7446802b4cd64a4b96bb7270
Instruction Fuzzy Hash: 7A216D35A00219EFCB15CF68C4499DD7FB6EF8C320F14856AE811A7390CB319941DB90

Function 05C3D3CA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced0c0c5f8cb7d14d23d460b1ab9b36914b8ce3f55927a99203b12f4dff5bfde
Instruction ID: fa0b225c646483a6a12457169ec2ea7695bc79c92b2ae24b8add5ad87cdf2d2d
Opcode Fuzzy Hash: ced0c0c5f8cb7d14d23d460b1ab9b36914b8ce3f55927a99203b12f4dff5bfde
Instruction Fuzzy Hash: 63210876610104DFCB05CF99E988E99BBB6FF48310B0644A9F6099F372D731E925DB40

Function 05C38A30 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee89d839952e3f4ebe167da76a4b5c80e72fee995444a4c7e0c81a7337d6e93c
Instruction ID: f54e0ad875049ec70f7fa5938148b60fdc37adaf15aa30c2c96dd8d20383812d
Opcode Fuzzy Hash: ee89d839952e3f4ebe167da76a4b5c80e72fee995444a4c7e0c81a7337d6e93c
Instruction Fuzzy Hash: A1211775A002098FDB04DF98D596ADDB7F2FF88300F2009A5E405BB361DB75AE45CBA0

Function 05C304F2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00649d64cc6e82834715d5383fc73cb5ba54a946d3fdd7ec70541ec43714badb
Instruction ID: 94195e805c9da49255a0f5b19b58ecb6e0624d9025d0e79b05d954cf63d33daf
Opcode Fuzzy Hash: 00649d64cc6e82834715d5383fc73cb5ba54a946d3fdd7ec70541ec43714badb
Instruction Fuzzy Hash: 612192B06102059FC724EB79D84A7AE7BA6EF85304F108839F40ADB645DFB4AD4197A4

Function 05A28130 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75965686d4dd50d98bf69bd7576b2f0309131731625bb884a50f4ff8e601147b
Instruction ID: b3efe6909244d34dbae821e411cfab29ff94ddbc2da6af82e0c6f83b843762a8
Opcode Fuzzy Hash: 75965686d4dd50d98bf69bd7576b2f0309131731625bb884a50f4ff8e601147b
Instruction Fuzzy Hash: 2E210CB4E0531ADFCB14DFAAC585AAEBBF6FB48300F14C199D815A7284D7389981CF91

Function 05C32398 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cf96a860e1e7942761deffa519117da377ca033c7504bc07790e20b6f8fba0
Instruction ID: 2e805d883bf27e3727142428d839f96e99cdef03b0d19773a705a98b42d16880
Opcode Fuzzy Hash: 22cf96a860e1e7942761deffa519117da377ca033c7504bc07790e20b6f8fba0
Instruction Fuzzy Hash: C8214C74A00219CFCF14DFA9D885AAEBBF6FF88654F004929D916D7310E735E946CB90

Function 02B52590 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2c115f713331afc253091855059776a8094a709c3d8d49d2f6aef886d0c8bf
Instruction ID: 0f9f16ad917e7e1c61c4dea7eb9afa4d44b235c2dacfa6dfd7a106d5cf88f3c3
Opcode Fuzzy Hash: 7f2c115f713331afc253091855059776a8094a709c3d8d49d2f6aef886d0c8bf
Instruction Fuzzy Hash: FD216AB0D062288BDB14CFA5D8547EDBBF5EF8A314F0480AAC809AB351DB754905CF51

Function 05C39B20 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854423c3dbed11dff30427e22b06c41d6d9708dcecec7ab1f76628faeb13b8a0
Instruction ID: 8c18a05693dadc2adfd4e87af04e3c581c3fea37c22608a28f76cb1fa0da23f7
Opcode Fuzzy Hash: 854423c3dbed11dff30427e22b06c41d6d9708dcecec7ab1f76628faeb13b8a0
Instruction Fuzzy Hash: F721BE7190091ADFCB24CF4CC9C1AAAF7A2FB44344F028969D4059B645C3B1A991CB84

Function 02B533E6 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3d3ff2d42082d640f6620ef61a43ebecf7d649d7c43678e95572ad4764428d
Instruction ID: 41beb5083c370c99ca88dcb9006c5fe7d0ede0848bfeed6cc0b8e7009528893a
Opcode Fuzzy Hash: 0e3d3ff2d42082d640f6620ef61a43ebecf7d649d7c43678e95572ad4764428d
Instruction Fuzzy Hash: 32213574E042688FDB10DFA8E8947DDBBF1EB49340F0485AAD80AAB744CB348E95CF40

Function 00FBD005 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2212316602.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_fbd000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344d767fa28cd6a513fe236e4d3c808bdad87aea2ab02972d2f1912bec2e729b
Instruction ID: d16f203930d8032d251da62adb3c2ef0548c34320b0f615cbf24692495d58e5a
Opcode Fuzzy Hash: 344d767fa28cd6a513fe236e4d3c808bdad87aea2ab02972d2f1912bec2e729b
Instruction Fuzzy Hash: D221B0755093C08FCB02DF20D994756BF71EB86324F2981EAD8458B657C33A981ADB63

Function 05C38A20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8f187ac1de25a72dcab0a556122c803bb65d7500bc5382c43625809dd6d05b
Instruction ID: dc88ce14e2450cd71725bd5bc6b0ac2eccf457a0254d3d39ebc6676ad9cb6473
Opcode Fuzzy Hash: 1a8f187ac1de25a72dcab0a556122c803bb65d7500bc5382c43625809dd6d05b
Instruction Fuzzy Hash: 6A213975A402098FDB04DFA4C596BEDB7F2BF88300F2149A5E441BB3A1CB759D84CBA0

Function 02B5CB06 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be99cab53415e7a13dcae5d686fdeb0e43a60e04c14a03c49b0133b4991c1283
Instruction ID: 63d9bb1f2f7b465ba8ce49412a3e0d4df9af5296e0e633643db565d12cb0aad9
Opcode Fuzzy Hash: be99cab53415e7a13dcae5d686fdeb0e43a60e04c14a03c49b0133b4991c1283
Instruction Fuzzy Hash: EC21A0B5940629DFDB25DF19CC80BE9BBF6BB49304F0481E6E908EB250E7719A81CF50

Function 05C3F6D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d0039fe5081d103874ac81600c82651d0fd110bec6e97d3b2538dfaeed90c7
Instruction ID: 9cd08f83238db40330545a5235ea46d8c012eaf27b68b7b216c1bc7366e8e586
Opcode Fuzzy Hash: e9d0039fe5081d103874ac81600c82651d0fd110bec6e97d3b2538dfaeed90c7
Instruction Fuzzy Hash: 6D21AF34B106088FC714DF28D989A6DB7B2FF89710F144969E546973A0DB30ED15DB61

Function 02B59CF2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1020b7b1c9fbca04e84b7c809a8ead430f7f41b5f0a1e8f735d1cc1c3a61bdfc
Instruction ID: 38f60d21db65f11b485e6e0cff8f157a737cf480b964ff4221621a1ed6f2d9a0
Opcode Fuzzy Hash: 1020b7b1c9fbca04e84b7c809a8ead430f7f41b5f0a1e8f735d1cc1c3a61bdfc
Instruction Fuzzy Hash: B4213874D04619DFCB00DFA9D8447EEBBB1FF89301F1485AAD818AB291D7786A06CF91

Function 02B59D00 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e73ce55b07e20ac68eb1966972537c4f828d20a51da8978b239078e63b3695d
Instruction ID: e1ce66e5d1ad9c26033a91f1b04c5bd7953d40c3c6ea1aabc9e0efcacbe24223
Opcode Fuzzy Hash: 5e73ce55b07e20ac68eb1966972537c4f828d20a51da8978b239078e63b3695d
Instruction Fuzzy Hash: 47212474E00619DBCB00DF99D8447EEBBB5FB89301F0084A5D818AB290D7782A05CF90

Function 02B5CB62 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b0356df291d51cb8da3ba7daf01108da89132344b4df1b864ef468a411cd26
Instruction ID: 6ae66cf6a4f33ed85b0159dbef461ba771f0f17201ad86ccb40af2994ac7c771
Opcode Fuzzy Hash: 09b0356df291d51cb8da3ba7daf01108da89132344b4df1b864ef468a411cd26
Instruction Fuzzy Hash: AA21A0B5905629DFDB24DF19C880BD9BBF6BB48304F1481E6D548EB290D7709A81CF10

Function 02B2C390 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cee9912b2ed1af460df7f2c720e62adea43a474337b636956e962f000188b8f
Instruction ID: 91a045a404583c35c2343795f1d14f4dcafc3591c7d334e55374b133249e182a
Opcode Fuzzy Hash: 6cee9912b2ed1af460df7f2c720e62adea43a474337b636956e962f000188b8f
Instruction Fuzzy Hash: 0C113474D04229CBCF18CFA9D9446EEBFFAFB88310F15986AD518B3210D7741A49CBA5

Function 05C3AD40 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f395b6bff00aa6a20f2d61602fd6fbb988c33d0b8fa749910e1855ac4a5bea8
Instruction ID: bc3009861238f16f2694acf2682d56ccf0219dba177281f28d6048e1ca369046
Opcode Fuzzy Hash: 5f395b6bff00aa6a20f2d61602fd6fbb988c33d0b8fa749910e1855ac4a5bea8
Instruction Fuzzy Hash: 0501C0313101044B8B00AE29E8C583AB7ABEFD8722318883FE506CB365CE34DC058B90

Function 05C31911 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee6a195ad8a6a182d8253f4f4be2def9795bb64095e179c824d499ffb7229b9
Instruction ID: 1040000fac6a17d007b0e29aec6c3174ea07f017878386939775d0e1e3b15aee
Opcode Fuzzy Hash: 8ee6a195ad8a6a182d8253f4f4be2def9795bb64095e179c824d499ffb7229b9
Instruction Fuzzy Hash: 13119E31B143089FDF24DF699846BAA7BF6AF88700F188469F515DB380EA30C901CB90

Function 05C31920 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f869b1011570d25c450b3150f13c2c69999da5bd24fc59832983200eb8cf7e
Instruction ID: 4a3a6a514c51117597fc2687b5784ffb5ad5bbed2d20d0c91f86c9f9a4b21aef
Opcode Fuzzy Hash: d7f869b1011570d25c450b3150f13c2c69999da5bd24fc59832983200eb8cf7e
Instruction Fuzzy Hash: 5911A071B102099FDB60DF6998067BE7BF6AF88600F18846AE515DB380EE30C901CBA0

Function 05C31568 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955e5bf0a1c2379f6090c39ceb20ebdc311633145abddc1753d66077e97cb4b8
Instruction ID: 14ba62f12a92dbf67c16d6680f4209c5946179809a44152365f8dcc64a1e8582
Opcode Fuzzy Hash: 955e5bf0a1c2379f6090c39ceb20ebdc311633145abddc1753d66077e97cb4b8
Instruction Fuzzy Hash: 85018436340214AFDB118F59DC85FAE7BA9FF89721F108026FA05CB290CAB1D9009750

Function 05A28120 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c501ad2a7d8fc6a0ff2833461159c69e332eacf9aa509fd43ae6280243f40c6a
Instruction ID: ece4b9e41007b4e8272ad3e2b8f43f21d568d81cc04c148c18bf73d0d17ad5f8
Opcode Fuzzy Hash: c501ad2a7d8fc6a0ff2833461159c69e332eacf9aa509fd43ae6280243f40c6a
Instruction Fuzzy Hash: 10115EB4E0931A9FCB54DFAAD9427AEBBF6FB45300F1482AAD418E3341D7384641DB81

Function 02B598FA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d260cad9d6c25c7f62c0d7bb2bf058c858bccb88fc41c7c4c30c3c18a2057d6f
Instruction ID: 26e35efdda30d5d82ece3aad509641a326b797dbdced75c871ad6c8e24046500
Opcode Fuzzy Hash: d260cad9d6c25c7f62c0d7bb2bf058c858bccb88fc41c7c4c30c3c18a2057d6f
Instruction Fuzzy Hash: 9421E278845698CFDB01EF98D1487ADFBF1FB49314F1490AAD919AF259D3786888CF80

Function 02B53E94 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fca04af4eb05794e8905f645b6efc17bcd513ae47afe16cdc36f1c1d0e1f95
Instruction ID: 1aa16d56ecd6bf8e691abfbd51de20e32e596587f6342090f0b25ebb6d52149d
Opcode Fuzzy Hash: a1fca04af4eb05794e8905f645b6efc17bcd513ae47afe16cdc36f1c1d0e1f95
Instruction Fuzzy Hash: E6112834A04268CFDB41EF64E84479DBBF1FB46341F5484E6D409AB655CB389E95CF00

Function 02B218EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5487cf78e345fb849b6ee7c41853e44a393f06309a105bf3a17a7e6bfe404d9a
Instruction ID: d06cf4cff098905f047bbc9d13f0f2051951778ad81514a38ac21584832002a0
Opcode Fuzzy Hash: 5487cf78e345fb849b6ee7c41853e44a393f06309a105bf3a17a7e6bfe404d9a
Instruction Fuzzy Hash: 7701F1317182508FD705963968487BA7BA3EBC5200F1880BAD24EDB29BCA740C4BCB01

Function 05A2844D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789bdd125a5d7e2160a350e2dbde87ef8f7d571dd178f2d184a96f77ef1ee238
Instruction ID: 1c207572ccbc262c6b6f6f13c7eeb267699ffeeec5026dba063da8ed1aa1dc93
Opcode Fuzzy Hash: 789bdd125a5d7e2160a350e2dbde87ef8f7d571dd178f2d184a96f77ef1ee238
Instruction Fuzzy Hash: F621E874A112288FDBA0DF28C856BDAB7F1BF0A301F1081EAE94DA7250DB345E85CF41

Function 05EBE1E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3716683a7e1105fee2f6dc31f7ef2b328c5fef354bdb54c86aa53599f1d0795
Instruction ID: 415ba3d4f4f3036a0031397ea4fe0f867318d7a7a883387fb04c617ea91beb66
Opcode Fuzzy Hash: a3716683a7e1105fee2f6dc31f7ef2b328c5fef354bdb54c86aa53599f1d0795
Instruction Fuzzy Hash: 1511F3B4E0020A9FCB48EFA9C9457AFBBF5FF88300F10856A9518A7350DB345A419B91

Function 02B5CDAB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb3bf85ce78c59f355b0c074f32f1ca38b64a93617c53924afd6d49feb35748
Instruction ID: a86ce9c8024e765c0c1cca9d34228ce9e1392efa8e01e51ded0e9268bac419de
Opcode Fuzzy Hash: 0cb3bf85ce78c59f355b0c074f32f1ca38b64a93617c53924afd6d49feb35748
Instruction Fuzzy Hash: 3B115AB2901269DFDB15CF14CC44BD9BBB6BB09310F0882E6D508DB292D3309A81CF50

Function 05A2F1D8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3921d3d80d27b33aa1c032949ee1c4dab6f694f9ba2db15256a0477dc36c8b
Instruction ID: c22c09654d2032b594c30f24efdbc91da4dab379a75cd45674d0aea928dc0c46
Opcode Fuzzy Hash: cf3921d3d80d27b33aa1c032949ee1c4dab6f694f9ba2db15256a0477dc36c8b
Instruction Fuzzy Hash: B211CC74908228CFEB04DF6EE987FEDBBF6AB8A310F049065E408A7241CB744880CF10

Function 05C3FF08 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfb03e2e52c164cf84bfaeb3c9218606677d3060006695ec19dd24b1aa72f74
Instruction ID: fae00f6c1b6f3235e5e0e6b83e2a2dd01717095a9e8c20940c3fbe456a71f174
Opcode Fuzzy Hash: 1cfb03e2e52c164cf84bfaeb3c9218606677d3060006695ec19dd24b1aa72f74
Instruction Fuzzy Hash: 09019E357006089FC7299A24C449A2A77B3ABCA320F148E2CE9564B790CB79EC02DB80

Function 05C3FEFA Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d0ebf5b541655481743e5c7e878df605fa1bcd9b44980f3d62180be9c57a00
Instruction ID: f869f4247a9522838323c9c495828cbea87975d1a4adbb01d2905b290c331011
Opcode Fuzzy Hash: a7d0ebf5b541655481743e5c7e878df605fa1bcd9b44980f3d62180be9c57a00
Instruction Fuzzy Hash: D2019E357006489FC729DB64C45AF3A77E2AF89311F048D6DE55A8B6A1CB79EC02DB80

Function 05C3DE02 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f872695dbba3732cb563c13094fd3369542cf4b50ea85b2f861bb1732a3d8e1
Instruction ID: 2eeea8d74a7ed4cd5fb3d583944858b16c36c0779850da1709f53a223f6c9710
Opcode Fuzzy Hash: 5f872695dbba3732cb563c13094fd3369542cf4b50ea85b2f861bb1732a3d8e1
Instruction Fuzzy Hash: 4D018F793005159FC704AB28D855A2ABBA2EFC8B11B10886AE90A87391DF71EC12CB85

Function 05C39BCF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f82a0ed52ff3b4a09fccffac9dd61ce3f02e5047d4c98956ce03cffaf76e18
Instruction ID: a669db7ab1be26bb9a755002836b2d2cfc0bdd2e22fa781c3fab39f5a3d27bd7
Opcode Fuzzy Hash: 92f82a0ed52ff3b4a09fccffac9dd61ce3f02e5047d4c98956ce03cffaf76e18
Instruction Fuzzy Hash: 43F0E2723095058FD7268F1CEC92B2577F2AF46705F450476F900CB359C5649C828B98

Function 05C34CC9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34253f4cdd27ca0fbde13bdc27aa6260eeb80f9d2a3975f25d6554891ec95dd
Instruction ID: 8e9603412f77f460c6dabc5aa8c0b59b8d6b6d3fbc099b5cb9db07493010cb1d
Opcode Fuzzy Hash: a34253f4cdd27ca0fbde13bdc27aa6260eeb80f9d2a3975f25d6554891ec95dd
Instruction Fuzzy Hash: D601A235A0121D9BCF08DB58D95AAEEB7B2BB89300F108469D501B7351DB751D00CBA5

Function 05C3DE10 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374dfa75081ca905a37ed489e8bf93583ce18e3a916d9f79b34838c318c1a322
Instruction ID: 8cc3712b433b202d242af2c5892281bc75548ee11b3a04056ae684742d8c1e66
Opcode Fuzzy Hash: 374dfa75081ca905a37ed489e8bf93583ce18e3a916d9f79b34838c318c1a322
Instruction Fuzzy Hash: 060181753005149FC704AB29D455A2ABBA3FFCCB11B108529E90A87390DF71EC02CBC1

Function 05C30999 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af900fe5e84a225800b866836806439e3dc93939ef4f3162a6f92feed582c5aa
Instruction ID: afa636511ceb226eabb6cbbaa6c7fb1802b03cfc5171d04dac8f7ec3b2963f81
Opcode Fuzzy Hash: af900fe5e84a225800b866836806439e3dc93939ef4f3162a6f92feed582c5aa
Instruction Fuzzy Hash: 99F0F672F097115FE305D658984672AB7E5BF89310F184866E546EB381DA71AC41C790

Function 05C3A3E0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9a255d2a442503a3136ea801bf0636f1fef3eaca5baef129442c70566054da
Instruction ID: 90ecb920b083871c3fb0d18793d04c23763b963b5e15ce46c23f1f86deef79d5
Opcode Fuzzy Hash: be9a255d2a442503a3136ea801bf0636f1fef3eaca5baef129442c70566054da
Instruction Fuzzy Hash: A9F02B77B004089FCB159B1CD889E6DB3A6EF84311B058066ED16D73A1DE349D278791

Function 05C30A00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ceba93522324ee114e1b331602a3394711d6a6deb05075cea3caf63b1341e28
Instruction ID: 4599180523b5658c1b0807f707412dc02748fe02437bf232b8c476facc967d8a
Opcode Fuzzy Hash: 1ceba93522324ee114e1b331602a3394711d6a6deb05075cea3caf63b1341e28
Instruction Fuzzy Hash: C0F02B63B0E3515FF312563818163257FA1ABD5200F1848DAD4869F2A2E9569C02C380

Function 05C3CF78 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb7781d889d7170478e3032c2adc8da7ae7feb4b0992064197909536a07c6a1
Instruction ID: 7dde300aef0085f1237d38ad553a12c267fa42b4ffe95f6153fb5997e0835ad1
Opcode Fuzzy Hash: 1cb7781d889d7170478e3032c2adc8da7ae7feb4b0992064197909536a07c6a1
Instruction Fuzzy Hash: 37F0C8713002069BC720DF18DC81F9AF7AAEF80314F10892BF91687651CB74E9588750

Function 05C309A8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69f42fe8f0395b6a2f26a2ab535576c61f7eece5a427343c6796448a3f31ac2
Instruction ID: 3e698a56307ce7d83ab19fc90e27de09c6de6e09496a38e8adaa1c6a1607cf39
Opcode Fuzzy Hash: e69f42fe8f0395b6a2f26a2ab535576c61f7eece5a427343c6796448a3f31ac2
Instruction Fuzzy Hash: 01F0E972F053155FE3159619980572FFBA9FBC8710F144869E54AAB341DB71AC41C3C4

Function 02B21B40 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750d731dc3d0b73e37c7da81f571df3b6ed27d11a1d0f88cb02520d54803576f
Instruction ID: 823ac62abc1630379e5e8bad4e2779edc715dda5c2e2691d2ec541cd0c3346fc
Opcode Fuzzy Hash: 750d731dc3d0b73e37c7da81f571df3b6ed27d11a1d0f88cb02520d54803576f
Instruction Fuzzy Hash: 8C01D135924378CFC711DFACA9497A9BBB1FB08600F0582EAD80D97606D3740A48CBC1

Function 02B5C6C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442903938de0fafc75a6ae9f74fdbc570f394fce783114371264a5261f2140af
Instruction ID: 8c8ee4d32ba9cbe5fed5374765e818d87e8006e8cc9a3a6af6eb5f91f3875c89
Opcode Fuzzy Hash: 442903938de0fafc75a6ae9f74fdbc570f394fce783114371264a5261f2140af
Instruction Fuzzy Hash: FC018F71C0020ADBCF01DFA4C844AEDBB75FF89314F04C25AE94467251D7319592CF90

Function 02B5B31C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bc5f700781ec02ab45383a6c9bf21a26392f2883e6a9495f12716dc903294f
Instruction ID: a7a479a06db479621b3490e7032e52db59d9c9f1cf91caa9d0789b3b6d055581
Opcode Fuzzy Hash: 23bc5f700781ec02ab45383a6c9bf21a26392f2883e6a9495f12716dc903294f
Instruction Fuzzy Hash: 8B117E749442A9CFDB60DF48D984BECBBF1BB08308F4441EAD808AB255D775AE85DF40

Function 02B52D73 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6286ba4479f086acfa1f08d076e36d4fb21193e7d3c8e783e410502f9439cfa
Instruction ID: a2194f3af10e04c6dd36a4bd5d3f3e752350186c818f2b212b30e9dcd5dc1457
Opcode Fuzzy Hash: c6286ba4479f086acfa1f08d076e36d4fb21193e7d3c8e783e410502f9439cfa
Instruction Fuzzy Hash: B9F02E35A09118DBCB00EFA0D8427ADBBB8DF41314F1481D6DC085B3A1CF355911DF41

Function 05A271FA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4936510329af8a2334e7647c6a37276b764dc537afc79a0c5ebde759cff504
Instruction ID: aa97db3ffe2477be203055dfb57ec761634ff0b0be7cf28f3ad7cc423ee53870
Opcode Fuzzy Hash: eb4936510329af8a2334e7647c6a37276b764dc537afc79a0c5ebde759cff504
Instruction Fuzzy Hash: CF012C74D0D298DFCB04CFADD48ABA8BBB1FB06314F1440B5D41A9B16AD7365945DF00

Function 05C31557 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57fe0425e40f691ea3f5a660b47578670696921645f4ead92f4292bf299c7923
Instruction ID: b7aaba8ee476f6ebaeb72921015a1be9bf5b09083db43119ed2c83b960972dfb
Opcode Fuzzy Hash: 57fe0425e40f691ea3f5a660b47578670696921645f4ead92f4292bf299c7923
Instruction Fuzzy Hash: 64F0673A3042409FC702CF2DE884E5A7BE9BF9962271544BAF906C7361CA30D814CB50

Function 05C3DB88 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ee92379df6ef75e2c085545b6de7fdaf87c2521cce7f0df6cd596641e911df
Instruction ID: e1a4aa2c866e40f371ba66bae7aa9ef01e8a40c8af51b2024ab8735bade3fbe2
Opcode Fuzzy Hash: a4ee92379df6ef75e2c085545b6de7fdaf87c2521cce7f0df6cd596641e911df
Instruction Fuzzy Hash: ECF049393102009FD305CF1CD855E2A77A6EF88721B1544AAF646CB3A1CE31EC52CB40

Function 02B5339B Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661de3e0845c7204866d47c5dd63548d8b8af292e5c09fcb6c78bafb9aa1767d
Instruction ID: d835a94e9dbfa574b9c96f8bc93746b870b604a3a557ef1d9f2446bc00c2a4a1
Opcode Fuzzy Hash: 661de3e0845c7204866d47c5dd63548d8b8af292e5c09fcb6c78bafb9aa1767d
Instruction Fuzzy Hash: 3FF0B434509118DBCB00EBA0D8417A8BBB9EF82314F1492D4CC445B361CB315A45DB44

Function 05A280CF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee344a4bc7bb05f3d63469123d0382eacbe5c61434e28f5484118be155669b96
Instruction ID: 58a840758cc5ab72751ca4e499730a415c354d01ae29c5d5c56d2c209f5f43ac
Opcode Fuzzy Hash: ee344a4bc7bb05f3d63469123d0382eacbe5c61434e28f5484118be155669b96
Instruction Fuzzy Hash: 0AF06DB4D08208EFCB40DFA8D946BADBBF4FB08201F0081D5E808A7750D6349A00DF41

Function 05C3DB98 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049bcba3ecf5c2449dddd006e1bb507cb80dcf6899749ecdadbb8081f2ff0a3e
Instruction ID: 79acbaf15a8016eab82e87715d7ccff2468d11d5bd10060b7513066cc61ba0af
Opcode Fuzzy Hash: 049bcba3ecf5c2449dddd006e1bb507cb80dcf6899749ecdadbb8081f2ff0a3e
Instruction Fuzzy Hash: D3F03A353102009FC3049B19D854D3A77AAEFC9B21B11446AF94ACB360CE31EC42CB90

Function 02B5C6D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a582205fe567e4fcdee6167163f3a7ac3ea5f95b8063edfbc9c0dac0995c0d5a
Instruction ID: 5efec5d8d8e3831dc90569804ccb0c8cf94612efbea07c154c5a6cc07fe2adb7
Opcode Fuzzy Hash: a582205fe567e4fcdee6167163f3a7ac3ea5f95b8063edfbc9c0dac0995c0d5a
Instruction Fuzzy Hash: 4FF03C3180021AEBCF00EF99C8009EEBB79FF89320F00C51AE95877210D731A661DB90

Function 05C3FA78 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3321bdcee60f77ba15b3a849f52364bb0b8f0aacd27b51c3c6596b6a9831457d
Instruction ID: 456f5eec3dbf5740dac4adaf1bba258bcb6a8824e8d7bc18d0f5b6102a5d8c9d
Opcode Fuzzy Hash: 3321bdcee60f77ba15b3a849f52364bb0b8f0aacd27b51c3c6596b6a9831457d
Instruction Fuzzy Hash: 73F0B23A6500149FCB468F98E946E507BA2FF1822171688D6F2088B272C332D826EB54

Function 02B5BB72 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7b73299b84ffb1a78e8ba706a5acc0462454b9ae443d2fffbfcaef59de68f7
Instruction ID: 3bde118f57a726649e4f8690f154257f7a834261eeb6a74a5c93a76e5763ef0d
Opcode Fuzzy Hash: be7b73299b84ffb1a78e8ba706a5acc0462454b9ae443d2fffbfcaef59de68f7
Instruction Fuzzy Hash: 32012C3490426ACBCB60DF14D840BE9B771FF45314F1082D5E898A7254DB75AAC5DF40

Function 02B5BF51 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9b9cdb575413ad76635038f3672adca9a5e7daec604faab89f4cfcc47d7023
Instruction ID: d782caf6788060d755daef9404e705e97df245da8b6a4b10a43e1bbb3d35b041
Opcode Fuzzy Hash: 9a9b9cdb575413ad76635038f3672adca9a5e7daec604faab89f4cfcc47d7023
Instruction Fuzzy Hash: B101C4749002A9CFCB64DF18D994BDCBBB1BB48304F4445EAD809AB355DB35AE85CF01

Function 02B20861 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48113de6b5eafadbcc0032c894c905033073438ce1d86e9aea9d50a2cc21f29d
Instruction ID: 11c0c65dbe4c6f5ef08777e4378bada826c15f8933fcaa89197b439d8e659174
Opcode Fuzzy Hash: 48113de6b5eafadbcc0032c894c905033073438ce1d86e9aea9d50a2cc21f29d
Instruction Fuzzy Hash: B8F01E2124E3E00FC70327B82CB44A83F708C8B10030E02EBE4CACB1E3C649180ACB63

Function 05C347B0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d2227314ec670a86ebfcb2b74ce09ac63e880f90184eaeb88f87bb8eaaf647
Instruction ID: 08b3572bd123c91b910ed9a81e666b45544cc4e6bf853701f514830626e4814b
Opcode Fuzzy Hash: 46d2227314ec670a86ebfcb2b74ce09ac63e880f90184eaeb88f87bb8eaaf647
Instruction Fuzzy Hash: 5CE0923640C6809FD7069B1DDD8A7497F709F52B54F0540E6D580CF15BD2248D60CB49

Function 05A25EA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e81c4492ec6db5efc6fcdd242d1fca80fde884d3518f39b1b401016b554b62
Instruction ID: 06e193f137c5452d9f30ff8e9af67bf4cb33e4ba05fbcf72b210a1353076d25a
Opcode Fuzzy Hash: b4e81c4492ec6db5efc6fcdd242d1fca80fde884d3518f39b1b401016b554b62
Instruction Fuzzy Hash: 09F09674D04284EFCB40DBB8D4557ACBFB0FF06205F0481D9D89497392D2344911DF01

Function 05C39C3F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072ae5758d76bbd15c68c141e8b872460cb42997be2e4f54ee4f88ee88d82ffd
Instruction ID: 8fbd85b1b5859ed499e8b5694d10c8619fea7acd46942aa09e5ab4597cf1758a
Opcode Fuzzy Hash: 072ae5758d76bbd15c68c141e8b872460cb42997be2e4f54ee4f88ee88d82ffd
Instruction Fuzzy Hash: 84F0E5713006069BC711DB1DED88E4ABBA7EFC0324B248D76B50AC7A15CE34EC978780

Function 02B5DD88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3b69eb2c5c543b99f3e2ee8d76ebfd8720179749dcd664f9e4ddf40e54806f
Instruction ID: 576abdcd66394f5ca7f6f231435b5de7f53b89ed41dbe7a0c37a05f0060393fe
Opcode Fuzzy Hash: bc3b69eb2c5c543b99f3e2ee8d76ebfd8720179749dcd664f9e4ddf40e54806f
Instruction Fuzzy Hash: 40F03475C05208AFCF00DFA4D981AECBFB5EB49314F1082A9EC446B391D7769A22EF41

Function 05EA8585 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1f931ab24c9d382dde5b802430d276221317ef41d1b642a4d7e761321c9678
Instruction ID: a77847724bd5ebf9d7bd80afa3547cbf09879e9643e461e962e1d975c5d4bcaf
Opcode Fuzzy Hash: 7b1f931ab24c9d382dde5b802430d276221317ef41d1b642a4d7e761321c9678
Instruction Fuzzy Hash: 670160B4A442688FDB64DF24DC85ADABBB1EB49301F5081E9AC09A3385DB345E85DF11

Function 05A23820 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e86b94947077de810654d4f4f5281bc06078e9b1b300dc888f324cd064dfac
Instruction ID: 2b9aac3eaea578bf0ce5eb8911500bbf9e8ffe542bd141d67c09bd7f5e01a31f
Opcode Fuzzy Hash: 98e86b94947077de810654d4f4f5281bc06078e9b1b300dc888f324cd064dfac
Instruction Fuzzy Hash: 0AF09C715082849FCB41CF68C841AA9BFF4BB06310B1481DAE9A497292C6354601DB11

Function 05C32C51 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a001f0846532121b9c8280aa4dbb17bb15f933c79b3f57295fc0afff6266e869
Instruction ID: e1230d45d1689474d5a1f9f8b607975a6a107f2b893bf586c88cb4837f729236
Opcode Fuzzy Hash: a001f0846532121b9c8280aa4dbb17bb15f933c79b3f57295fc0afff6266e869
Instruction Fuzzy Hash: ECF08231A146049FDB15CF58D499BDCBFB2EB44315F15C49AE006D32A1DB300A81CB84

Function 05C3041D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e108cab18541fb954dc077ddfed21c3372766d4388769d18d38a3675a1d097
Instruction ID: 5c77b29177c902c7a17e3ebff0e2fc626756dac1752ffc28750b4cbe2ff7e80b
Opcode Fuzzy Hash: 83e108cab18541fb954dc077ddfed21c3372766d4388769d18d38a3675a1d097
Instruction Fuzzy Hash: E0F0E2B290A3849FC702DB68DD917D93FB1EF46304F2505DAE048CB293D13A5E069711

Function 02B5B0D8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62f1837bbd28897fcd71c844437d9ab70a1365d7c258ff3fa6bbc67f6d930e9
Instruction ID: 2da04eaeae899d3bd56af1d753f39cfa474844bdbde8202d51e606f4d1b3fbad
Opcode Fuzzy Hash: f62f1837bbd28897fcd71c844437d9ab70a1365d7c258ff3fa6bbc67f6d930e9
Instruction Fuzzy Hash: A7F05875808108EBCF05CFA0D986AECBF36EB19310F148199EC046B251D2368A62EB81

Function 02B5CFD6 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9eb61d92f21715e06e00434404d7cd1706bd93b0863396fab800c7930a5ae1
Instruction ID: bd0d837434dc3ae8227605db28746c748b184d01d35bf78d9d118d354429255e
Opcode Fuzzy Hash: 9a9eb61d92f21715e06e00434404d7cd1706bd93b0863396fab800c7930a5ae1
Instruction Fuzzy Hash: B701AF759022288FDB20DF14D994BDABBF6FB09304F0041E6E908E7285C779AE84CF10

Function 02B5D248 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a70fef6409bc0f9ff6e770646fbc8615fb20af1d3e687e385b5c8d67ea51b8
Instruction ID: 36f86f46c920cce6d987365f39b22a8066767869929040bd32ac89586376c385
Opcode Fuzzy Hash: 45a70fef6409bc0f9ff6e770646fbc8615fb20af1d3e687e385b5c8d67ea51b8
Instruction Fuzzy Hash: DCF01774904148ABCB15CFA4C885BACBFB1EB49210F1481D9EC845A211C6368A52EF81

Function 02B5A988 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a3b245b7738f0fc06e7120d7b5b96916b681d50111ec1c828b50665005baa2
Instruction ID: bc2ae8b1d6c6b4fca520d75619c5af993b194b4705cd0ea39d29b277aa9d76fe
Opcode Fuzzy Hash: c0a3b245b7738f0fc06e7120d7b5b96916b681d50111ec1c828b50665005baa2
Instruction Fuzzy Hash: D4F0827180911CAFCF11CFA4D981AECBF75EB1A310F1481D9ED456B392D2368D62EB41

Function 05A23830 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a8907cfbafc535e67ccfe8e8285dfe01ea714d11c9e3f76f45363169154631
Instruction ID: d53abdc60725214aa90a8f55df917b3e263b3c9662dff2ed8d076f9b8005a940
Opcode Fuzzy Hash: 35a8907cfbafc535e67ccfe8e8285dfe01ea714d11c9e3f76f45363169154631
Instruction Fuzzy Hash: 68F05870904208AFCB80DFA8C841AADBFF8AB49300F04C0AAA868D7740C6399A11DF50

Function 05C32C60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3122fe366fdb5aee34886c0579670cc36c5b7ec6450b1040d61cc823a7abec5
Instruction ID: 6be63f5d9cf348795710c38b4ea9b10e3189bc3a94a9b399e2faeee08346ab5e
Opcode Fuzzy Hash: e3122fe366fdb5aee34886c0579670cc36c5b7ec6450b1040d61cc823a7abec5
Instruction Fuzzy Hash: CDF06D31A14618AFDB19CB99E44D6DDBFB7EB84220F15C4A9E40693290DB701A81CBC4

Function 02B57E3A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad1404ada9bcb3df3785117d35181e549eb633224ae4c25e1ebd8638795d41b
Instruction ID: 0a4a41445c36357041cbd5bcc78db89587e69468562a79570f6d69e6b8a764a1
Opcode Fuzzy Hash: 2ad1404ada9bcb3df3785117d35181e549eb633224ae4c25e1ebd8638795d41b
Instruction Fuzzy Hash: B6013C74805268CFD721DF29D8587A9BBF1FF06305F5480E5D489DB251CB364A85EF01

Function 05C39C50 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937141a26f59c1d7f866b41371b1c52b7773b1897534848b855c41bf15f7957e
Instruction ID: 96a8bc2d15fba4aae78c0216eae5a3bf63eb949cf84e99b2c1db6ab34300fb81
Opcode Fuzzy Hash: 937141a26f59c1d7f866b41371b1c52b7773b1897534848b855c41bf15f7957e
Instruction Fuzzy Hash: 7EE01A722002065BC710DB1EEC8485BFB9BEFD0764724CE3AB50A87625DE74ED568690

Function 02B55808 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503bea39df663cd05233f8612b10dc5935492f2374ddd1fa3a7efe77bdc66f21
Instruction ID: c5ca5b3639695f77a8d875bff497c96b7bdbd44645f4ceab8d19f791859cab35
Opcode Fuzzy Hash: 503bea39df663cd05233f8612b10dc5935492f2374ddd1fa3a7efe77bdc66f21
Instruction Fuzzy Hash: A0E09234948218DBC700DF94DD4175CBBB8FB45315F508198CC445B382CB359D02DB81

Function 02B5B868 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfc7e9ef4568b9213878536b83b9d61a09f39f71997e48e6d0342838d3397f0
Instruction ID: a3545aa60ebf9624e42c7789ed330e0309c64a9cdc4763fa1d9b3fe474b5c038
Opcode Fuzzy Hash: fcfc7e9ef4568b9213878536b83b9d61a09f39f71997e48e6d0342838d3397f0
Instruction Fuzzy Hash: E5F0E734904229CFCB60DF14D894BE8BBF1BB05308F0440EAD84CAB251D7769E81DF40

Function 02B53F91 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0115550b85efb0e10b4c96c61805734f80d7252ed6b8e35188d19bec7c1adf37
Instruction ID: b79ba99a98113b2a139e8e8ca9eaded76a1b5fa6afe6db3c5952246914a06ee0
Opcode Fuzzy Hash: 0115550b85efb0e10b4c96c61805734f80d7252ed6b8e35188d19bec7c1adf37
Instruction Fuzzy Hash: 66E06D70804218ABCB00DB94D9923ACFBF9EB45205F14C1EA9C8497380C7399A09EB96

Function 02B5AD86 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe6c34787f1ad0bd21e95c01f56876e234ca498183a1546c1e0b66827d53b77
Instruction ID: ebd62317e7b032510439ead4ada90eeff5c847e2a57b7fcb3d604c5afdc2b0a7
Opcode Fuzzy Hash: 9fe6c34787f1ad0bd21e95c01f56876e234ca498183a1546c1e0b66827d53b77
Instruction Fuzzy Hash: BAF039759002289FCF128F90D819BEEBB72FB4E305F209245E912BB295C7384984DF55

Function 05A25DC8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de961369d0dd8365bdc47ed45ca0a5cc9f771da90649d4a3b38a26f16718c97d
Instruction ID: b239cb4639b364e0c7253cf1656fa0b5ac26df73f2d95fb60a562211e7e91fdc
Opcode Fuzzy Hash: de961369d0dd8365bdc47ed45ca0a5cc9f771da90649d4a3b38a26f16718c97d
Instruction Fuzzy Hash: 26F085748151A89FCB40EFACD989BE87FB4AB09211F1000AAC88497362C2308942CF10

Function 05A26049 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25be0b5850ad09d72586dc632f46e6a569e79ead8c4bd022330f5db1a2d5c33b
Instruction ID: d1d53a2907032d729af0020aef6f2231f95187d8207bb8f949e71519fb401b0b
Opcode Fuzzy Hash: 25be0b5850ad09d72586dc632f46e6a569e79ead8c4bd022330f5db1a2d5c33b
Instruction Fuzzy Hash: 85F0A774809148AFCB02DF68D491AECBF70EF49311F14C1EAD89453352C6354A12EF05

Function 05A25EB0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c49d5bab0f2c436846da5b2b9f7844ad8175d3721018a0c699a85cc273c71ce
Instruction ID: 467226afa8d7be66e0aa5f45a2eba251165528a4453d7b9ce281e23eb8b5f201
Opcode Fuzzy Hash: 7c49d5bab0f2c436846da5b2b9f7844ad8175d3721018a0c699a85cc273c71ce
Instruction Fuzzy Hash: 79F03074D04208AFCB40EFA8D4466ACBBF4FB49701F0081D9D855A7391D6349A10DF41

Function 05A25E58 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1eb1e70f8567df8fd0242d554eee74f2967fc29dbf66999b6899b9db971209
Instruction ID: bdca96ccdf164994656e23a853d76acbb04918c9eb14e1e2b25dc575ab7d36df
Opcode Fuzzy Hash: ab1eb1e70f8567df8fd0242d554eee74f2967fc29dbf66999b6899b9db971209
Instruction Fuzzy Hash: DCF08C749082849FCB44DFBCD485AECBFB4FF09205F1000EAC4849B762C2318901CF01

Function 02B541A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59392ac3c93477bb5f480bbbbd4011a2e0cb2f125aa31dfee0fc700c4d92b388
Instruction ID: 75dcab23d0e3a70cc5525a50da0439f6e4928519e10f901bd7f52d880f664c09
Opcode Fuzzy Hash: 59392ac3c93477bb5f480bbbbd4011a2e0cb2f125aa31dfee0fc700c4d92b388
Instruction Fuzzy Hash: B4E0D874909208ABC705EF54DD817ADBFB5EF46304F1482E9DC086B341CB359D86DB41

Function 02B595D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002fcfc6bda0559ce43e6586baf906155d3bd03898b044865c06c46dfb0da5ab
Instruction ID: af43854ac55fd82e06e408e4aeb8306f787fcaa61b9d945e2271743bdb913fa7
Opcode Fuzzy Hash: 002fcfc6bda0559ce43e6586baf906155d3bd03898b044865c06c46dfb0da5ab
Instruction Fuzzy Hash: 07F0307090D294DFCB12DB6495915ACBFB49F47214F1845DDC88457252C6355906DB42

Function 02B2C188 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb46e5e7b29118e7c68d2d8c428e18ae65b730272aa604ad0cda1acb9722099
Instruction ID: dfae53cd1459db059841ff8cb5b535e49669c6552d959a661a11ff612befb4a7
Opcode Fuzzy Hash: deb46e5e7b29118e7c68d2d8c428e18ae65b730272aa604ad0cda1acb9722099
Instruction Fuzzy Hash: FAF01574D04218EFCB40EFA8C941A9CBBB4FF48311F10C1AAA808A3350D6359A55DF80

Function 02B21B90 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c919432f01db37e8b5f4466a90e460e22b842c3d6f8c08cb179965d9831df69e
Instruction ID: 2cd3a7cd6c05017f01c5f30efd1493e94d3bdf1a45278b33abd70cae3e4b0a45
Opcode Fuzzy Hash: c919432f01db37e8b5f4466a90e460e22b842c3d6f8c08cb179965d9831df69e
Instruction Fuzzy Hash: EAF08C38620328CFC710EB5CEA4C7B473B2EB44311F5142E5C80D8B20AE3341D88DB40

Function 05A21249 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b80976d1e3ec9977f3c354bed0f742c8a65e57bcf24766c1f3cf0ae8202391
Instruction ID: b3b23f7c899501a2f16890263266493b3c2a1779f5095c8db923e8774753a090
Opcode Fuzzy Hash: a6b80976d1e3ec9977f3c354bed0f742c8a65e57bcf24766c1f3cf0ae8202391
Instruction Fuzzy Hash: 74E092B4804208EBCB00DF58D985BADBBB8FB45311F1481A9E84467351D7319A12EB84

Function 05C34C88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f2dbae91867dd2b22b279d55a3aa25534d1f284408342a44449dd1fb9802ae
Instruction ID: 1db3d788c708f0185d85870591b948299210f2f969102af8d177a1e56caf55de
Opcode Fuzzy Hash: a2f2dbae91867dd2b22b279d55a3aa25534d1f284408342a44449dd1fb9802ae
Instruction Fuzzy Hash: 15E086313053095BCF14B6A5684EB6232996B45E10F110CA596059F390D972EC42C751

Function 02B5D258 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bffe30379c7462743859bbe59905408d46ae668c1f1fa01b80333e11654dc1
Instruction ID: 6e24024f055bd4f83ee4b56e70615ffcb131444c3dad96e3dfe14654edb43914
Opcode Fuzzy Hash: 71bffe30379c7462743859bbe59905408d46ae668c1f1fa01b80333e11654dc1
Instruction Fuzzy Hash: F4F03974804208EFCF00DF94C944AACBBB9EB48310F14C19AEC9456350C6369A11EF80

Function 02B5B0E8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03914bfb22f1e10ccfe292e6d64598b25c41c7a41f1bbee5bbc89320271f4bf2
Instruction ID: 4c6858ba7f065d148513a5b18b610f67fc47ce68d71331147f29144926d8f7db
Opcode Fuzzy Hash: 03914bfb22f1e10ccfe292e6d64598b25c41c7a41f1bbee5bbc89320271f4bf2
Instruction Fuzzy Hash: 63E0653480420CEBCF01DF94D981AADBB7AFB48304F108199EC042B360C7329A61EB81

Function 02B59E99 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a57565b59a50d89a6b3335114b15495d069b18e3fd8397e729814d3c78382d
Instruction ID: 173c581147cf2d0dac42efb250e90dfd28f92ea5f3bfc9daab1c235f831c21c9
Opcode Fuzzy Hash: e5a57565b59a50d89a6b3335114b15495d069b18e3fd8397e729814d3c78382d
Instruction Fuzzy Hash: CCE09234905148EFC751EBB8DA85BF8BFF8AF49204F1C40E9D84897342E6315A45CBC1

Function 02B59E09 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfc09c43a26a0acf8a2dd24fb365e59dd862d1f0820fd6ac45878c966f46b1b
Instruction ID: c9a679705ba2963d27e8297102d263788dee64497d59c06691b869dade8b3029
Opcode Fuzzy Hash: 0cfc09c43a26a0acf8a2dd24fb365e59dd862d1f0820fd6ac45878c966f46b1b
Instruction Fuzzy Hash: 71F01534905208DFC710DBA8D948BA8BBB8FB49305F1841EAD8885B362C7345A45DB80

Function 02B55F50 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418f0da77ddb2f6d93162383d75aba73bb23a3f8cf6cd8d68827a717442b532c
Instruction ID: 9fe58ff0278dd8b61bdb86549843f3b37d6c95d342ac55fbb8557b2f86979971
Opcode Fuzzy Hash: 418f0da77ddb2f6d93162383d75aba73bb23a3f8cf6cd8d68827a717442b532c
Instruction Fuzzy Hash: F7E09AB09082089BCB10DBA4D9C97ACBF74EB5A312F6481D9C888AB382C6764D02CB00

Function 02B51CF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ae7f956348be5c82a7c4992566e7d761054ac1c8fee8d2a2872c004fb64a7e
Instruction ID: d49c4437d51c0ff00c81c4e00cde51c0d7fdf93b1175232103997835f035378d
Opcode Fuzzy Hash: 70ae7f956348be5c82a7c4992566e7d761054ac1c8fee8d2a2872c004fb64a7e
Instruction Fuzzy Hash: 0DE09A34809218EFCB04EF98E9417ADBB78FB45304F2082E9D8182B390CB316D12DB95

Function 02B52550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e095f6d0b50dd87870ae6a45057d11cef8391634129cde46cbc99c13ca659912
Instruction ID: 70c10545cf5a67644601e21c329945791d3a12d9108b40a0c6b185a14d72f1bb
Opcode Fuzzy Hash: e095f6d0b50dd87870ae6a45057d11cef8391634129cde46cbc99c13ca659912
Instruction Fuzzy Hash: E2E0DFB5D4A208EFCB00DB94E9517ACBB78FB45314F1882E8CC4427382C7719D02CB44

Function 05EB53C8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c40d9cb3c835b280fa3397928169fd584b85cc586a3aff9f3d6e2a7db37cef
Instruction ID: a27cd0d0122f161b6b50ce2bf16fee02a2aa3061acff990db4b9fb05066a1348
Opcode Fuzzy Hash: 08c40d9cb3c835b280fa3397928169fd584b85cc586a3aff9f3d6e2a7db37cef
Instruction Fuzzy Hash: AAE03974D04208EFCB40EFA8E984A9DBBF4FB48301F10C1AA9848A3340E6759A01DF40

Function 05EBAEC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c40d9cb3c835b280fa3397928169fd584b85cc586a3aff9f3d6e2a7db37cef
Instruction ID: 864d5025ebfc0d79bb0d5dd0e58720cd3de4e45a4fc887531f94aa0da807958a
Opcode Fuzzy Hash: 08c40d9cb3c835b280fa3397928169fd584b85cc586a3aff9f3d6e2a7db37cef
Instruction Fuzzy Hash: A7E03974D04208EFCB80EFA8D940AADBBF4FB48301F10C1AA9848A3340D6369A41DF40

Function 05EB9680 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c40d9cb3c835b280fa3397928169fd584b85cc586a3aff9f3d6e2a7db37cef
Instruction ID: 5355230ee2cdc1eceff6bdc53096c81faabced55a19e70da012226749e228b83
Opcode Fuzzy Hash: 08c40d9cb3c835b280fa3397928169fd584b85cc586a3aff9f3d6e2a7db37cef
Instruction Fuzzy Hash: E7E03974D04208EFCB40DFA8C94069DBBF4EB48300F10C1AA9858E7341D6359A01DF85

Function 02B54B09 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29edda59c0875b33c6b599d7ff3407eac1e91fc53eb4236eb7f2820f9c895c8
Instruction ID: 369c9d4fbd1dfce533a5861daa96f6d6c959672252197e963b5afc8960cb590f
Opcode Fuzzy Hash: a29edda59c0875b33c6b599d7ff3407eac1e91fc53eb4236eb7f2820f9c895c8
Instruction Fuzzy Hash: 0FE0DF34A05208DBCB08EF90D9C57ACBB78EB89300F2482ECC8085B780CB354E87DB81

Function 02B5937A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee70a29283aa62b354da21f091ea05793519547d9b98fb72613a6a89acdee58f
Instruction ID: 805c6d41e7c4623a04b11531a6ceae44dc26d1dbb22450afae48c65d73b204dd
Opcode Fuzzy Hash: ee70a29283aa62b354da21f091ea05793519547d9b98fb72613a6a89acdee58f
Instruction Fuzzy Hash: 91E026B194110CDBC711EFB4D4497AE7BECEB06304F0440E2D908A7191EA350A04EBD7

Function 02B58E92 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c469634d63671eb31ec71309afbae2489074eb2637d27ec7c7de21b3bd50b8ce
Instruction ID: 3a3736fe23013ed8b1b0d123ca3f43ae2ef529dde65cc10f126ec5897ce5d6be
Opcode Fuzzy Hash: c469634d63671eb31ec71309afbae2489074eb2637d27ec7c7de21b3bd50b8ce
Instruction Fuzzy Hash: 17E09270D09114DBCB10DFA4D5C26ACBF70EB56315F1481DDCC451B351D6354D46CB81

Function 02B5E699 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7017d545375abfabd73c1604a1a463d4dd1c546504070b2f2b0916420601aca4
Instruction ID: 75ecf5873d183e68c0a716c94c250707498a3a8019fc25f60bd1febff25c5e3c
Opcode Fuzzy Hash: 7017d545375abfabd73c1604a1a463d4dd1c546504070b2f2b0916420601aca4
Instruction Fuzzy Hash: 9DE09270D09204DBCB10DF64D9866ACBFB4EB55315F1481DDCC4917392D6368E06CF81

Function 02B59CB0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d417f087f858da05ccf3f3637ebd066f1715da9a76434f92174c8bb384838ac1
Instruction ID: 45f3b0fc9f28432230eaf846a5db2f596f79f6e5321723a39acb6bd179e4904a
Opcode Fuzzy Hash: d417f087f858da05ccf3f3637ebd066f1715da9a76434f92174c8bb384838ac1
Instruction Fuzzy Hash: ECE092B0C09258DFCB50DB6495963ECBFB0DB16215F1841D9CC445B382E63A9D06DB81

Function 05EBF9E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50e325070938c7e2ec76cb29315a3f0aefa5829ab51351f65ef3f90134739ef
Instruction ID: c3b413703dfe050c4f73d1559a948c01db13f8f88ff7e514acb6d14bd09cfbbe
Opcode Fuzzy Hash: c50e325070938c7e2ec76cb29315a3f0aefa5829ab51351f65ef3f90134739ef
Instruction Fuzzy Hash: B2E0ED74D05208EFCB44DFA8D94569DBBF4FB48305F14C1A9D85893340E6759A41DF41

Function 05EB8D38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50e325070938c7e2ec76cb29315a3f0aefa5829ab51351f65ef3f90134739ef
Instruction ID: f13c4217966463ed4775789bb0710e63a01c8b350a4d4d271fc98918f91c5353
Opcode Fuzzy Hash: c50e325070938c7e2ec76cb29315a3f0aefa5829ab51351f65ef3f90134739ef
Instruction Fuzzy Hash: D8E0ED74D09208EFCB44DFA8D5446DDBBF8EB48305F10C5ABD85893350D6755A01DF41

Function 05EBDD08 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde0936e856a9269a18a844f8bc82de4523d69e0c4213d7e289ad03ca02b9596
Instruction ID: 733837863b6eb2b12ce0e4efdb746f87a2d3578b13206ff42b99e1a18aa9da11
Opcode Fuzzy Hash: fde0936e856a9269a18a844f8bc82de4523d69e0c4213d7e289ad03ca02b9596
Instruction Fuzzy Hash: 9DE012B0D4920C9BD740EFA89A4579D7BB8EB09315F1045A5E88DA3340D6745A40DB45

Function 05A2E920 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fc60c82f88f740063e2f8f78b5b13bcc09c189b65e4ca97a69f78367dd8db6
Instruction ID: 8c867fcd0bf85bf6bfe116f5c977829d9b7e0bb50c641c5f3055af4a3e1a0b52
Opcode Fuzzy Hash: 09fc60c82f88f740063e2f8f78b5b13bcc09c189b65e4ca97a69f78367dd8db6
Instruction Fuzzy Hash: 0CE0E570D09208EFCB84EFA8D545AADBBF9FB48300F1081AAD858A2350D6355A91DF85

Function 05A21FE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658f89a6a4be80fa1a4ddc6a583fca0bc85edc8b2d30299dceeafc34d4be5eb6
Instruction ID: e4e1edb5197118a08b2b6423c860a498c72374a74024d57faa16757ec50fde0e
Opcode Fuzzy Hash: 658f89a6a4be80fa1a4ddc6a583fca0bc85edc8b2d30299dceeafc34d4be5eb6
Instruction Fuzzy Hash: 3CF0B774E012288FDB60DF68D889B9DB7B6BF49210F1099E6C409B7210DB3449C1CF11

Function 05A25E10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af623f31953c348a7252658d23b60f601d01461785ad6c0464cb9d4c2dea966
Instruction ID: 48d0bcd31d8b6b9ee60f8776f50eb6a3c66afea34b44c589ecf85afbb7514004
Opcode Fuzzy Hash: 8af623f31953c348a7252658d23b60f601d01461785ad6c0464cb9d4c2dea966
Instruction Fuzzy Hash: 23E06D70C09298AFCB51EF78E8867ECBFB5AB09215F1441E5C88996352D6304655DF11

Function 02B58158 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8df84316d6b6f7b9e37dc598e1e4bc42447b0f9bb5bd5cdc80b278978171b4a
Instruction ID: 68a0bab4e1aca52f50cbc754cf7d47587fec83025a2d50c64c39680cbfdbd5c5
Opcode Fuzzy Hash: b8df84316d6b6f7b9e37dc598e1e4bc42447b0f9bb5bd5cdc80b278978171b4a
Instruction Fuzzy Hash: 37E0D870809298DFC741DF64D955378BFB4AB06205F0441DEDC949F781D7394E81DB81

Function 05EBEF58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed29f91d3af7aebfd6de6f0696a06df9f7d43d74787e59fa5f3f69ea26f5cd35
Instruction ID: 18c2f16d69ea267739ea0db520da929e7a759d6859860a273a2422224605d079
Opcode Fuzzy Hash: ed29f91d3af7aebfd6de6f0696a06df9f7d43d74787e59fa5f3f69ea26f5cd35
Instruction Fuzzy Hash: 25E026B4808218EBC700DF94D940AEDBFBCAB45302F10C199E88457340C6319A02DB94

Function 05A26058 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c3096687158d02b03a6b407bb16f1fd1eaa277e2cbe88949f015eb55889a55
Instruction ID: 0eb384a7c4759d56b73ccbefde37481745f9b5946f8448e93fbf0f77160e8b77
Opcode Fuzzy Hash: 92c3096687158d02b03a6b407bb16f1fd1eaa277e2cbe88949f015eb55889a55
Instruction Fuzzy Hash: AAE09A74C09208EFCB01DFA8C985AECFBB8EB48301F10C1AADC4463340CA359A01EF85

Function 05A2B74E Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f2598c915010811499c3e3ce94f6462bdabb674c42035384895a8d35e8e30d
Instruction ID: f9cc1bbfd20dfefa465c7446bd59c022b84be14e1d6a071cbcd6f22d04bf70bb
Opcode Fuzzy Hash: 64f2598c915010811499c3e3ce94f6462bdabb674c42035384895a8d35e8e30d
Instruction Fuzzy Hash: C9F0B274A04329DFDB60DF18D989B9ABBB5FB06301F1046D5E449A2250CB345ED98F02

Function 05A2E620 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d82eb36baaac804087a3ef50b5c6ba40710c6e359b3f8667f5cc1c164ab57e
Instruction ID: 9a1b8b93626b25c6f1a3b23e361953a7682ae2f18e33903f998e324f96c86930
Opcode Fuzzy Hash: b3d82eb36baaac804087a3ef50b5c6ba40710c6e359b3f8667f5cc1c164ab57e
Instruction Fuzzy Hash: 2DE01A70D05208EFCB54EFA8D5456ACBBF9BB44300F1081A9D858A3340D7345A40DF45

Function 05C30482 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998f966eb2b4fda7f753f7f320b3bb43dc384c2b9762a964526ad741b97690bd
Instruction ID: a852b13cbf6556be13f69cd747a0e088d22e29bf22f43f545384870e1e97a81b
Opcode Fuzzy Hash: 998f966eb2b4fda7f753f7f320b3bb43dc384c2b9762a964526ad741b97690bd
Instruction Fuzzy Hash: A2E04F71A10104DFCB40DFA8EA51BAE77B1EF48305F208968E409DB241DA756E11EB40

Function 05C3C9E1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad578a2c6fcaee9edf27a2fca083296b000175c032e859e49c9b988a856931e
Instruction ID: 952c6e5f55094f7c268b923f67e8fd8e27a2d52644577b97626b8343749404fc
Opcode Fuzzy Hash: 6ad578a2c6fcaee9edf27a2fca083296b000175c032e859e49c9b988a856931e
Instruction Fuzzy Hash: CBE0C2767100048B8714EF4AE8414AEF7A2EFCC612710C43AF90AC3340CF318D2A9B90

Function 02B59EA8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be99e31bffd1c8f0c89fc50d15b902a93abd6b4539ff2ffbeb36dc24a3e5988f
Instruction ID: 376f2f33ccb73d932ff6cd250afeb9b5246b1596ab063897a51a734d352f2776
Opcode Fuzzy Hash: be99e31bffd1c8f0c89fc50d15b902a93abd6b4539ff2ffbeb36dc24a3e5988f
Instruction Fuzzy Hash: BFE04F70905218DFC740EFA8CA847ACBBF8EB08204F1481E98C48D7340E7319E45CB81

Function 02B5EC69 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9105ced7366bc098cff84eb03b232039d6f8deb51386d8a09d650d231d3575
Instruction ID: 583ab2b9921c441a583b922deb7f7bbbb63a3a109e3daaf9999e4e1260417e5f
Opcode Fuzzy Hash: 6a9105ced7366bc098cff84eb03b232039d6f8deb51386d8a09d650d231d3575
Instruction Fuzzy Hash: DFE08CB040D118EBC715DF94EA49764BFB8EB46314F1444DDDC089B792DA36CE02CB82

Function 05EB8040 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcf2e4d2337aa8734d9b219c975f04505cc912150abf5e155a8c04cae630474
Instruction ID: e15a8a247e52f3e736bf16fb1bdfefbee75c3c4d08fb9e9713ba67312d7c0c11
Opcode Fuzzy Hash: 2bcf2e4d2337aa8734d9b219c975f04505cc912150abf5e155a8c04cae630474
Instruction Fuzzy Hash: 98E01A74D09208EBDB04DF98D5806ECBBB8AB49305F1481EAD85857341D6755A02EB55

Function 02B21BD1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b29cad7aa470af0a1c1a13fb5fbbd79b9f957535a6199764d6dd7b802179b53
Instruction ID: b01a50b7766c2883bff081b4034d0968c60936ba375098a69c6237a2aa704249
Opcode Fuzzy Hash: 8b29cad7aa470af0a1c1a13fb5fbbd79b9f957535a6199764d6dd7b802179b53
Instruction Fuzzy Hash: 1AE048353596848FC746EB7498946043FB5EF4A51032584E6D848CB376C9349C05CB11

Function 05A25DD8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bed844512bacb84aab9f34a33966fe81a7ddb41cc301a5c839c3fd293b1784
Instruction ID: 3697303d2e7f9da5bbadb45b7c606197dea4c38f288c5f4d8447ed1b31c5dad3
Opcode Fuzzy Hash: e4bed844512bacb84aab9f34a33966fe81a7ddb41cc301a5c839c3fd293b1784
Instruction Fuzzy Hash: B1E0B674D15218DFCB84EFACD989B9CBBF8BB08615F1041E9D809DB761E630AA40DB51

Function 05A2FE38 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d015b0829a36f820227ea26e2c2a24bd175b3a7ec0209c232ad1439717dae1
Instruction ID: 18b070677a5ab00f217d9b6c317410685ccbfafd238b4cf60b8527e1ebf947b4
Opcode Fuzzy Hash: 12d015b0829a36f820227ea26e2c2a24bd175b3a7ec0209c232ad1439717dae1
Instruction Fuzzy Hash: ADE04F7090521CDFCB40EFACC986A9CBBF9AB08604F1081A98808D3341D7319E41DB41

Function 05C3B2B7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591b94013da1ee63a08720f6d61fbe83e51542d41e6a53fa7633445054c1526d
Instruction ID: 4b76ba2619d5b4459b26ff152cdb4189ede4d413b730847e3d03ababe0cf29db
Opcode Fuzzy Hash: 591b94013da1ee63a08720f6d61fbe83e51542d41e6a53fa7633445054c1526d
Instruction Fuzzy Hash: 93D02E327186224BCB01A62DEC413AB3BE3DB8CA04F448A3AB802C3304FE24DD0283C0

Function 02B533A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: bff7ec72c0a555d3a18d51d6e75bbc38b526adc48c33776934b069ed76d143c2
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: DFE0EC7490921CDBCB04EF94D9856ACBBB8EB85315F14D1E9DC086B351CA315E42DB85

Function 02B59388 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cade1fcc6d07b23403a38fe730dc8f81a416616f6b36068fbe38d0c0e143574
Instruction ID: d39ba98a82f3afd32555296b1ca376942770e0ee44a6abcc466f23d015db306e
Opcode Fuzzy Hash: 6cade1fcc6d07b23403a38fe730dc8f81a416616f6b36068fbe38d0c0e143574
Instruction Fuzzy Hash: 5FE012B154121CDBCB00FFB4990579E77EDEB45205F0045E6D504A7150EE755A04EB96

Function 02B54B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: e6d5c244691645f9471ff1f980f597763a7c8d791aab6ce98f92e2e6be40a99c
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: 35E01278909218DBCB08EF94D9857ACBBB8EB45315F2482DDDC486B351CB315E42DB85

Function 02B55818 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: 9b27837ae8f62271b8ce3615420c3891a4b67d4e4b7ed7ec1ce95aac925bd89b
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: E8E0C234909208DBCB04EF94DD806ACBBB8EB45306F6081DDCC082B340CB356E02DB85

Function 02B541B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: bdafc54ee3928d4a38138fb5046b6491be53bba86d542c86bc6bb966a56a47d8
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: 5DE01274909218DBCB04EF94DD857ADBFB8EB45315F1482D9DC086B351C7315E82DB85

Function 02B58EA0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: 8080f61f15b30f63f858edc85848e0b6748cd49631adffd0ea9a34e8ecb8f59a
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: 21E0C234A09218DBCB04EF94D9816ACBBB8EB45305F1081D9CC082B350C7315E42DB85

Function 02B5E6A8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: 5fdf0b595d5115c2d37df355b126b50d384111de2b3152ad60b9e7af18966926
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: 88E0C234909208DBCB04EF94DA846ACBBB8EB45304F1081EDCC082B351CB319E02DF85

Function 02B55F60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: d173d9071883813a4c2420de3927a6ea34e9ac685a37e86d832992f9afe59e7d
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: 92E0C234909208DBCB04EF94D9807ACBBBCEB45305F5081D9DC486B350C7715E02DB85

Function 02B52D80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: 4b4299d95830092d26660a74498704fd0a91e52c812a3005d9f846d10571e85b
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: E8E0C23490A208EBCB04EF94D9857ACBBB8EB45304F1081DADC082B380C7315E02DF85

Function 02B595E8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: 343ed9e29642b1625b9e7d07d35741b96dd4f6f538acc09c538890d57c9ebff6
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: 5FE01274909218DBCB04EF94DA856ACFBB8EB45315F1481DDDC086B351CB316E46DB85

Function 02B51D08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: d27d1963461701e7b76efcd367eaaff974659140fd7995aed29b9dde2432bac9
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: 5FE0C23490920CEBCB04EF98E980BACBBB8EB45304F1081DDDC182B380CB315E02DB85

Function 02B52560 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction ID: cd2630716d2d71cc7f4fc97fba4e78eaea46bfe87778f530f9dbc29bfd87ef18
Opcode Fuzzy Hash: c90bec9be90b7f26b5ae01980849e338e8bc30f42b36352ad75eab82f47f9bd1
Instruction Fuzzy Hash: D0E0C274D4A208DBCB04EF94E9907ACBBB8EB45304F1481D9CC082B351C7719E02DB85

Function 05EBD048 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1aac3256d725496a3c5e24061e8861c2cda548afa3ac3fca9897a3b9e203daa
Instruction ID: dac0a9552dce01989d6fff0866937b1682c94adc92cd680c2a3fa1aa6d05de60
Opcode Fuzzy Hash: c1aac3256d725496a3c5e24061e8861c2cda548afa3ac3fca9897a3b9e203daa
Instruction Fuzzy Hash: 22E0C234909208DBCB04EFE4DE846EDBBB9FB45305F1091DDC84867340CA725E02EB85

Function 02B2B128 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbe64899f2af86bcc82afc244d55b59c7b58ba01911db9fa274ff0c4d94c434
Instruction ID: f9690155c2f6ea220a9aa1b670904669305c4cd87f0e9055061ef4dc19b38396
Opcode Fuzzy Hash: ddbe64899f2af86bcc82afc244d55b59c7b58ba01911db9fa274ff0c4d94c434
Instruction Fuzzy Hash: A6E0C271801218DBC700EFB4C90979E7BB9EB09201F0046E5D10CA7110EF354A00EB96

Function 05A273C1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aec00a28fd9e965592ea8c2716680ce6a1bf73755a6ba6b460edcdf02077ac4
Instruction ID: 201d3e0b3663ed81388e10c299ad1373132fc8e6a89152746589d2cc29776741
Opcode Fuzzy Hash: 3aec00a28fd9e965592ea8c2716680ce6a1bf73755a6ba6b460edcdf02077ac4
Instruction Fuzzy Hash: B4F0A5B8E06228CFDB14DF68EA59B99B7B1FF4A304F108498C40AA7355CB745E85CF00

Function 05A2E670 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad38c256bea266749d8747c22ccee08bfb44009b25e93b60af007f75e8f72a1
Instruction ID: d992081bb159903feaa96938244f9087ee54a48abc0edd5721f8e6c880e5db5f
Opcode Fuzzy Hash: 1ad38c256bea266749d8747c22ccee08bfb44009b25e93b60af007f75e8f72a1
Instruction Fuzzy Hash: 33E0EC74D4621CDFCB40EFA8D94ABACBBB8FB05201F1041A9D809A3750E7305A94DB46

Function 05C30490 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344addc1f3e4355d090b6d89cfed2a670910044f83941d4abd61e6292ee91706
Instruction ID: a05741d72fa19f461a075541d4e3f1b3b6246aedbfd5e46b529471611814fa61
Opcode Fuzzy Hash: 344addc1f3e4355d090b6d89cfed2a670910044f83941d4abd61e6292ee91706
Instruction Fuzzy Hash: 04E01270A10208EFCB10EFB5D94176E77B6EF45304F6085A8F809DB244DA756F01A791

Function 02B58168 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70404da589dc658ecca93f16ca4374a9e3561953e3a6263bdc6c42954db8cf1b
Instruction ID: aa2a45b158b4ead59fa1aed58acd900dd39ddea565aaa1008cf39a6c3ddd4ad0
Opcode Fuzzy Hash: 70404da589dc658ecca93f16ca4374a9e3561953e3a6263bdc6c42954db8cf1b
Instruction Fuzzy Hash: 34E0C230805218EFC740EBA8D9413ACBFB8EB09205F1481DDCC889B381D7359E82DB81

Function 05A2ACA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c29f78ffe2d504abf7fbe814f7ec99f210cc3a48bdd9b2fdf7d11be403cc5e
Instruction ID: 164fdc9bbb322656b412becf34816d08e3cf043d38d3f83eb36f40ecb1e0922e
Opcode Fuzzy Hash: 11c29f78ffe2d504abf7fbe814f7ec99f210cc3a48bdd9b2fdf7d11be403cc5e
Instruction Fuzzy Hash: DDF05A78D40229CFDB64CF29D985BD9BBB1BF59301F0082EA9889A3600EB701EC58F01

Function 05A25E20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd288cf7b42ed6866a71ec8cb32d4747088597ad9433e9dba53c5f1b45edd2b
Instruction ID: bde3e5d6e24466c1a95a34f09f523aa1423652ff6b8c21ac0e5f9e18d0b36905
Opcode Fuzzy Hash: edd288cf7b42ed6866a71ec8cb32d4747088597ad9433e9dba53c5f1b45edd2b
Instruction Fuzzy Hash: F9E0EC74D05218EFCB50EFA8D94A7ACBBF8BB08201F1441AAD84997350E6349A50DB41

Function 05C30448 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92574eb7df24740ace07ef5c2f1adfa1247f4a6dadcf9b5e1b405416d7f26683
Instruction ID: b6cae4e2f39eb2065cd1f475f894dd5df21cc084cdca1f9e4f80fd9a271fcf0a
Opcode Fuzzy Hash: 92574eb7df24740ace07ef5c2f1adfa1247f4a6dadcf9b5e1b405416d7f26683
Instruction Fuzzy Hash: D5E01270A11108EFCB40EFA8D94165EBBF9EB45304F6085A8F808D3301D9756F01AB91

Function 02B2E6A0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956c566b0e38cf49d5aa4be5725178b2bb940d94fde8873ae7c48cb578c42cb9
Instruction ID: f26c1f69fd8f061df195d3d592da39f3ed3ac4e2b11252996924df248fd95a7b
Opcode Fuzzy Hash: 956c566b0e38cf49d5aa4be5725178b2bb940d94fde8873ae7c48cb578c42cb9
Instruction Fuzzy Hash: 59D05E7050A218DBC704EB95D940AA8B7ACEB46218F1481DDD80C67392CA76AD01DB85

Function 02B5ACC5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d435bbb789777efd495822f340a40d838c99d711aec181922b7645d31ffa6d59
Instruction ID: 0a1be7884fca07309a737c19372eb8e5224e46bb0056bb17c2560d007f52f82b
Opcode Fuzzy Hash: d435bbb789777efd495822f340a40d838c99d711aec181922b7645d31ffa6d59
Instruction Fuzzy Hash: C7E04678900258CFCB01AF80E848BA8B772FB4A320F208245E806AA604CB3949029F10

Function 02B26F97 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50906a8720e16be975f9e2bd774d19267751f3819d236577b77cb89728d6017
Instruction ID: 8fe94ccb2b1a261fe32fa1efd2b755c9b6ecc6b2f9be7e1ff803b3fee278e916
Opcode Fuzzy Hash: b50906a8720e16be975f9e2bd774d19267751f3819d236577b77cb89728d6017
Instruction Fuzzy Hash: 06D0A73004E7608BCB02A7246549364FFBCAB47211F0405D1D44D49466C6640054C746

Function 02B21BE0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfc234d12cde3e6abcfc890d414bb9ba601e569a7d73549d803c6aa085469ec
Instruction ID: 552ac1e50d6b91f2ea60cef7f2330a344bc9e4276102c45c118586c3a42926e3
Opcode Fuzzy Hash: 9dfc234d12cde3e6abcfc890d414bb9ba601e569a7d73549d803c6aa085469ec
Instruction Fuzzy Hash: 47D09E753505088F8744EB69E984A1577EAAB8CA10320C5A9E909C7329DA34EC018B51

Function 02B20888 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f954551ee938acfb608208b95b3c53d52d59c55ad58b7d47eb5ac13a486830b
Instruction ID: 5a8ad2d53785bf5c69f30908596f40f056c19d4c85a4c943bc66b7e380351cca
Opcode Fuzzy Hash: 5f954551ee938acfb608208b95b3c53d52d59c55ad58b7d47eb5ac13a486830b
Instruction Fuzzy Hash: 6CC08C313100385B460433E9BA180BD768DCA8E665300012AF90AC3343CF193D012BDA

Function 02B21591 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126a5b9dca98f23cfc8dc9dee04a2cc20d4b7348a0a397b42ccd7ce626b86b9a
Instruction ID: 241f1e12a23fdeb7b57b195228ad0403a547f73c92b4a80cd7b08d4d40c5db79
Opcode Fuzzy Hash: 126a5b9dca98f23cfc8dc9dee04a2cc20d4b7348a0a397b42ccd7ce626b86b9a
Instruction Fuzzy Hash: 0DD0A771D042358BDB11BF54D8443DDB321AF21341F994CB4E94A63101CB289E0D9F51

Function 02B5D7AD Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947a6d46e0f01e174d2471819eb7cd99a8d81ea3591e3f680c4e0ec528db62c3
Instruction ID: 4ba6541700a726daccb19c9db2be5fbe1f830c2fc2de02e614a10b17c675b93a
Opcode Fuzzy Hash: 947a6d46e0f01e174d2471819eb7cd99a8d81ea3591e3f680c4e0ec528db62c3
Instruction Fuzzy Hash: 81E0E27080122ACFEB20DF24C948F99BBB0EB04311F0591E59409AB260D3309DC0DF21

Function 05EBD4C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946dd170cda0730cf95f9d1589b2f459fdf1761ab160483d81b119ed239b9482
Instruction ID: 32cd8cd42331b14e226ba0fecbe2dcecf0dd0e7955d03b3e5e3d6a524407cb30
Opcode Fuzzy Hash: 946dd170cda0730cf95f9d1589b2f459fdf1761ab160483d81b119ed239b9482
Instruction Fuzzy Hash: A2C08C3008F60882F2002244AF4C3F232AC6707217F002A00D84E248625AA42850C65A

Function 02B208B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907d3d8c69b403d0c2f7dfc3f779a60c28155d30eeda816d9b4dc2aa47e98a4e
Instruction ID: 9f9e1696e0b3b8bc54d4be9637c1a0469c088389a5672eb20743dbab6fc8c445
Opcode Fuzzy Hash: 907d3d8c69b403d0c2f7dfc3f779a60c28155d30eeda816d9b4dc2aa47e98a4e
Instruction Fuzzy Hash: 43C08C2404E3C85FCB1393B02DAA48A3F348D0304470801DBD8C9DA4A3C20820068B22

Function 05C3DB60 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd6356f5e8ddee4a77a72108c824a6e1531f4906bf328c6a2eddf3d3625adf8
Instruction ID: 3c659d7fca1189507c6efcf5d8d6afcb19a423b9e6f425a510d4f25a32d51f84
Opcode Fuzzy Hash: 6fd6356f5e8ddee4a77a72108c824a6e1531f4906bf328c6a2eddf3d3625adf8
Instruction Fuzzy Hash: F5D0127A1045818FC311CB7CD986E507B70EF57355B1550E6F155CB672C321AD15DB04

Function 02B59899 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0dcae4f56e02a83545bb62dd58e3aa07be441d078b43bf162a6b4ad757017d1
Instruction ID: 4ebad7488f6adfa73a24c9cf1111ae821b4ef4c919916c42c9b6926b7d2a8a7d
Opcode Fuzzy Hash: a0dcae4f56e02a83545bb62dd58e3aa07be441d078b43bf162a6b4ad757017d1
Instruction Fuzzy Hash: 2FD092B4D15228CBCB14EFA5E4557ADBAB1FB45304F504129E806A7346DB384845DF01

Function 05EA8B6E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2239154928.0000000005EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ea0000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325df1a65e9f7db2e1959bd19fc19fb46cfe0bb0f95b2dcdb2dfd3a9398c8c77
Instruction ID: b73f6f6ec91a645bb3cd95b07965af7ceaa6225c95eaf519518357333ba13071
Opcode Fuzzy Hash: 325df1a65e9f7db2e1959bd19fc19fb46cfe0bb0f95b2dcdb2dfd3a9398c8c77
Instruction Fuzzy Hash: 24D0A9B82001008BC320DE50D858BEA76A6EB49300F808059B40D93686CA384E82DB21

Function 02B2AF58 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6959456660b315e9cfa8f2e181cfde3a1b6dd9f3d2b2f7d867a03b282a4d2f
Instruction ID: 26ea0a994d2d3a4def0cc5c9185fa53a921909717098aa108ee8bdaa862bb292
Opcode Fuzzy Hash: bd6959456660b315e9cfa8f2e181cfde3a1b6dd9f3d2b2f7d867a03b282a4d2f
Instruction Fuzzy Hash: B8C08C704C170887C30477E4BD4E729B76CBB0AA06F040A50E50CA08A0CB7D4068DA2A

Function 02B21E79 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08e7022b02c9466c77ce8f9d9bf913cb4f88019d64f1941fc68f21438b6da5d
Instruction ID: df9fec2ff1ac3829650250ad2776991a067c0dad83a0188fd644e2a866774863
Opcode Fuzzy Hash: f08e7022b02c9466c77ce8f9d9bf913cb4f88019d64f1941fc68f21438b6da5d
Instruction Fuzzy Hash: B4C08C341884808FC302C738C4A1C483FB0AE4A20130102EDF04AC7636C3126823CB01

Function 05A2712C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7063d8a7aef4568d7a5f5956acb5f9b29b64b14bbe154f3c9019da4db0d58c
Instruction ID: d9f473aa762a22138d6610dc7cd6da1e97020c2b35351afd3d4c8091aeb90381
Opcode Fuzzy Hash: 8e7063d8a7aef4568d7a5f5956acb5f9b29b64b14bbe154f3c9019da4db0d58c
Instruction Fuzzy Hash: 5CD067B8A05218CFCB10DF28EA55B99B7B1FB4A304F004095D409A7315CB745D90CF01

Function 02B5B62A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214910017.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b50000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0e584e24b760a592bb13f477f93a1dae00ff092212cf660ff96b6ba34bd58c
Instruction ID: 358efa9969467a298800be7fc136034c4bee697b31be78905d33768dc6c70bb5
Opcode Fuzzy Hash: 4f0e584e24b760a592bb13f477f93a1dae00ff092212cf660ff96b6ba34bd58c
Instruction Fuzzy Hash: 6AD0C97090922C8BDBA0DF64C884398BAF1BB0A314F1042C9948DA2315CA320EC8CF10

Function 05A27B7A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238415609.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a660d2b633dbcbe9034d6d92b21fd4f39008d159bcc4b5a530712754c2b04bc
Instruction ID: 9fac1b3ea14084d94f028c2a7bf02bb2871d51829a4259c44c3abdde3a6a0b3e
Opcode Fuzzy Hash: 5a660d2b633dbcbe9034d6d92b21fd4f39008d159bcc4b5a530712754c2b04bc
Instruction Fuzzy Hash: 66C00276E5001A9A8B00DAD9E4508DCB774EB94321B004026D214A6104D63115268B50

Function 05C318F0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cf923acb555c02ac22599bb64f464d929b29d876b0bd850d4e16958fd7ade2
Instruction ID: 23b69f938802ce023b96887bfc8a92ee6713fb33de16eaf5b0e4667f94149a11
Opcode Fuzzy Hash: 06cf923acb555c02ac22599bb64f464d929b29d876b0bd850d4e16958fd7ade2
Instruction Fuzzy Hash: 64C09271A404008FCA30DF8EDD89B4A77A0FF41306F916010B201E6271C6A0DC53EF1A

Function 05C3DB70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 05C3B2A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2238656455.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c30000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0451c66e3b81f16cd0994f50c3f7f02460d0380984ac0052eab2edd220bf27f6
Instruction ID: 76205cf4e56923c58924837cc99cb634fddb948de674f8a714936f1aafddefca
Opcode Fuzzy Hash: 0451c66e3b81f16cd0994f50c3f7f02460d0380984ac0052eab2edd220bf27f6
Instruction Fuzzy Hash: 1FB011E382000003E2C2B208C82A3A202288BA8232FE888A28008C3380F088C20820B2

Function 02B208D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717df99d515fbe10ff6ba5d28b853b21ed7804ab8b59b81a06322fbecb8faed5
Instruction ID: 41d803b44b923d58d8bdfe2972d3019f348cb1647920f386ab8394a9a81e6128
Opcode Fuzzy Hash: 717df99d515fbe10ff6ba5d28b853b21ed7804ab8b59b81a06322fbecb8faed5
Instruction Fuzzy Hash: 4FB09203A4D2824AD3AB05786C755943E21AA0210678E01E75CD484287B00C18486E52

Function 02B21E80 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40

Function 02B208C0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2214753506.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b20000_Networks!.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbbcb649df09f3659a721537507657ab04195d9db24c6abd13631257a830496
Instruction ID: 4149b59d5ac6bfe7fe71c49387983e568a51ba1b21ca1073785df3411ab8bcf0
Opcode Fuzzy Hash: abbbcb649df09f3659a721537507657ab04195d9db24c6abd13631257a830496
Instruction Fuzzy Hash: 54902230000A0CCF000033803A08280330C800080A3800002A00C000000A0830000880

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report new policy.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: NanoCore

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

System Summary

Stealing of Sensitive Information

Remote Access Functionality

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Networks!.exe.log

C:\Users\user\AppData\Local\Temp\airlineagancy.casacam.net 7076.exe

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\settings.bak

Windows Analysis Report
new policy.scr.exe

Function 013DB178 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Function 05D5B928 Relevance: 3.0, Strings: 2, Instructions: 542
COMMON

Function 013D6BB8 Relevance: 2.7, Strings: 2, Instructions: 171
COMMON

Function 013D6BC8 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Function 05D5B918 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre