Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INQUIRY.exe

Overview

General Information

Sample Name:INQUIRY.exe
Analysis ID:628367
MD5:ae825520f1b4c679b80568d05f604c75
SHA1:76dbd18631e2007c65ea27e7b5ff2f130017c223
SHA256:cc1b297e38dc99d95d931c99c51582a6be2c7e713e9c4cfb3ad28476c3b685a8
Tags:exeNanoCore
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • INQUIRY.exe (PID: 6460 cmdline: "C:\Users\user\Desktop\INQUIRY.exe" MD5: AE825520F1B4C679B80568D05F604C75)
    • INQUIRY.exe (PID: 5844 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: AE825520F1B4C679B80568D05F604C75)
    • INQUIRY.exe (PID: 612 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: AE825520F1B4C679B80568D05F604C75)
  • cleanup
{"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
SourceRuleDescriptionAuthorStrings
0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.341923328.0000000007310000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
    • 0x51a8f:$s1: file:///
    • 0x5199f:$s2: {11111-22222-10009-11112}
    • 0x51a1f:$s3: {11111-22222-50001-00000}
    • 0x4eee1:$s4: get_Module
    • 0x4f327:$s5: Reverse
    • 0x512ce:$s6: BlockCopy
    • 0x51112:$s7: ReadByte
    • 0x51aa1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
    0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 77 entries
    SourceRuleDescriptionAuthorStrings
    12.3.INQUIRY.exe.4cd7cfd.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x3bd6:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    12.3.INQUIRY.exe.4cd7cfd.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x3bd6:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x3cb4:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    • 0x3bf0:$s5: IClientLoggingHost
    12.3.INQUIRY.exe.4cd7cfd.0.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0x67f:$x2: NanoCore.ClientPlugin
    • 0x3c20:$x2: NanoCore.ClientPlugin
    • 0x605:$x3: NanoCore.ClientPluginHost
    • 0x3bd6:$x3: NanoCore.ClientPluginHost
    • 0x695:$i3: IClientNetwork
    • 0x3c36:$i3: IClientNetwork
    • 0x61f:$i6: IClientLoggingHost
    • 0x3bf0:$i6: IClientLoggingHost
    • 0x63e:$i7: IClientNetworkHost
    • 0x688:$s1: ClientPlugin
    • 0x3c29:$s1: ClientPlugin
    12.2.INQUIRY.exe.5a10000.21.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    12.2.INQUIRY.exe.5a10000.21.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 266 entries

    AV Detection

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INQUIRY.exe, ProcessId: 612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Timestamp:192.168.2.3212.193.30.2044975411872025019 05/17/22-15:51:20.051765
    SID:2025019
    Source Port:49754
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975911872816766 05/17/22-15:51:49.922162
    SID:2816766
    Source Port:49759
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044976211872816766 05/17/22-15:51:55.884728
    SID:2816766
    Source Port:49762
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044982111872025019 05/17/22-15:52:49.271106
    SID:2025019
    Source Port:49821
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044976911872816766 05/17/22-15:52:08.945021
    SID:2816766
    Source Port:49769
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977211872816766 05/17/22-15:52:22.683460
    SID:2816766
    Source Port:49772
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975611872816766 05/17/22-15:51:35.136378
    SID:2816766
    Source Port:49756
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977111872816766 05/17/22-15:52:16.087791
    SID:2816766
    Source Port:49771
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975811872816766 05/17/22-15:51:42.232466
    SID:2816766
    Source Port:49758
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977111872025019 05/17/22-15:52:14.332940
    SID:2025019
    Source Port:49771
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975511872025019 05/17/22-15:51:26.361440
    SID:2025019
    Source Port:49755
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:212.193.30.204192.168.2.31187497592810290 05/17/22-15:51:49.170097
    SID:2810290
    Source Port:1187
    Destination Port:49759
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044982711872025019 05/17/22-15:52:53.707374
    SID:2025019
    Source Port:49827
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975511872816766 05/17/22-15:51:28.186816
    SID:2816766
    Source Port:49755
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977711872816766 05/17/22-15:52:38.018804
    SID:2816766
    Source Port:49777
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044976911872025019 05/17/22-15:52:07.767118
    SID:2025019
    Source Port:49769
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977211872025019 05/17/22-15:52:21.314024
    SID:2025019
    Source Port:49772
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975611872025019 05/17/22-15:51:33.850974
    SID:2025019
    Source Port:49756
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:212.193.30.204192.168.2.31187498212841753 05/17/22-15:52:49.302941
    SID:2841753
    Source Port:1187
    Destination Port:49821
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975911872025019 05/17/22-15:51:48.671520
    SID:2025019
    Source Port:49759
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044976211872025019 05/17/22-15:51:54.994564
    SID:2025019
    Source Port:49762
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975911872816718 05/17/22-15:51:49.922162
    SID:2816718
    Source Port:49759
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977311872816766 05/17/22-15:52:28.816548
    SID:2816766
    Source Port:49773
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044980011872025019 05/17/22-15:52:43.253756
    SID:2025019
    Source Port:49800
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975411872816766 05/17/22-15:51:21.147618
    SID:2816766
    Source Port:49754
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977311872025019 05/17/22-15:52:27.825250
    SID:2025019
    Source Port:49773
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044976311872816766 05/17/22-15:52:01.984569
    SID:2816766
    Source Port:49763
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:212.193.30.204192.168.2.31187498002841753 05/17/22-15:52:43.290789
    SID:2841753
    Source Port:1187
    Destination Port:49800
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044982711872816766 05/17/22-15:52:56.191568
    SID:2816766
    Source Port:49827
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044975811872025019 05/17/22-15:51:40.603505
    SID:2025019
    Source Port:49758
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044980011872816766 05/17/22-15:52:43.389217
    SID:2816766
    Source Port:49800
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:212.193.30.204192.168.2.31187498272841753 05/17/22-15:53:08.771321
    SID:2841753
    Source Port:1187
    Destination Port:49827
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044976311872025019 05/17/22-15:52:01.044216
    SID:2025019
    Source Port:49763
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.3212.193.30.2044977711872025019 05/17/22-15:52:34.655294
    SID:2025019
    Source Port:49777
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Source: INQUIRY.exeReversingLabs: Detection: 34%
    Source: deranano2.ddns.netAvira URL Cloud: Label: malware
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTR
    Source: INQUIRY.exeJoe Sandbox ML: detected
    Source: 12.0.INQUIRY.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 12.0.INQUIRY.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 12.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 12.0.INQUIRY.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 12.2.INQUIRY.exe.6270000.23.unpackAvira: Label: TR/NanoCore.fadte
    Source: 12.0.INQUIRY.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 12.0.INQUIRY.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: INQUIRY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: INQUIRY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INQUIRY.exe, 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: INQUIRY.exe, 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_0676EA50
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_0676A8B1
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_0676EA40

    Networking

    barindex
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49754 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49755 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49756 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49758 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49759 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 212.193.30.204:1187 -> 192.168.2.3:49759
    Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49759 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49762 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49763 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49769 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49769 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49771 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49771 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49772 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49772 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49773 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49773 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49777 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49777 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49800 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.3:49800
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49800 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49821 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.3:49821
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49827 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49827 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.3:49827
    Source: Yara matchFile source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4a1e135.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.3114b84.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4a11f01.10.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.3.INQUIRY.exe.4cbdca6.2.raw.unpack, type: UNPACKEDPE
    Source: Malware configuration extractorURLs:
    Source: Malware configuration extractorURLs: deranano2.ddns.net
    Source: unknownDNS query: name: deranano2.ddns.net
    Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
    Source: Joe Sandbox ViewIP Address: 212.193.30.204 212.193.30.204
    Source: global trafficTCP traffic: 192.168.2.3:49754 -> 212.193.30.204:1187
    Source: INQUIRY.exe, 00000000.00000003.284037827.0000000005854000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.283930415.0000000005853000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.283972688.0000000005854000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.284002706.0000000005854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
    Source: INQUIRY.exe, 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: INQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: INQUIRY.exe, 00000000.00000003.287532861.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com)
    Source: INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comSm
    Source: INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTCk
    Source: INQUIRY.exe, 00000000.00000003.287844382.000000000585E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coma
    Source: INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287664520.000000000585E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.come
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: INQUIRY.exe, 00000000.00000003.287713459.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287844382.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287760170.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287664520.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comlt
    Source: INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comm
    Source: INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-u
    Source: INQUIRY.exe, 00000000.00000003.287713459.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287760170.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287664520.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
    Source: INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comubhu
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: INQUIRY.exe, 00000000.00000003.294312034.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.305535549.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.293291124.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296430840.000000000587D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: INQUIRY.exe, 00000000.00000003.293079762.000000000587D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: INQUIRY.exe, 00000000.00000003.295209678.000000000588E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: INQUIRY.exe, 00000000.00000003.296168282.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296003647.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296236492.000000000587D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers1;
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: INQUIRY.exe, 00000000.00000003.305535549.000000000587D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersI;
    Source: INQUIRY.exe, 00000000.00000003.296840214.000000000587D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse;
    Source: INQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com2g6j
    Source: INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comM.TTF
    Source: INQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic_gKj
    Source: INQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comasefHgPj
    Source: INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
    Source: INQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commic
    Source: INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
    Source: INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief$g
    Source: INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comzgnj
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: INQUIRY.exe, 00000000.00000003.286330213.000000000588D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.286407353.000000000588D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: INQUIRY.exe, 00000000.00000003.286592453.0000000005855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.300647485.000000000585C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: INQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krm
    Source: INQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krti
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.283040731.000000000586B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: INQUIRY.exe, 00000000.00000003.283040731.000000000586B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comivJ
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: INQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: INQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krF
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.286776867.000000000585B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: INQUIRY.exe, 00000000.00000003.286634503.0000000005857000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.286776867.000000000585B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.coms~Jj
    Source: INQUIRY.exe, 00000000.00000003.284037827.0000000005854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: INQUIRY.exe, 00000000.00000003.284037827.0000000005854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netF-l
    Source: INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: INQUIRY.exe, 00000000.00000003.287359319.000000000585A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: INQUIRY.exe, 00000000.00000003.287359319.000000000585A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnn-u
    Source: unknownDNS traffic detected: queries for: deranano2.ddns.net
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTR

    System Summary

    barindex
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.5a10000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.5a10000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.71e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.71e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c1c37e.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c1c37e.15.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c0df4e.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c0df4e.16.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4a11f01.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4a11f01.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.7310000.11.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.7250000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7250000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7080000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7080000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c1c37e.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c1c37e.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.7050000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7050000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7250000.38.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7250000.38.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.721e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.721e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.7000000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7000000.26.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7040000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7040000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7000000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7000000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.3.INQUIRY.exe.4cbdca6.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.3.INQUIRY.exe.4cbdca6.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.3120dcc.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.3120dcc.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.INQUIRY.exe.7310000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7200000.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7200000.34.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7214c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7214c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7050000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7050000.28.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.71d0000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.71d0000.32.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4a1e135.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4a1e135.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c0511f.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c0511f.17.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7060000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7060000.29.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c0511f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c0511f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c0511f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.4a1e135.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4a1e135.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4a1e135.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.4c0df4e.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c0df4e.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.7060000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7060000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.3135408.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.3135408.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.3135408.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7210000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7210000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.3114b84.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.3114b84.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.3114b84.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.71d0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.71d0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.3114b84.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.3114b84.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7080000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7080000.31.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.71e0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.71e0000.33.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7070000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7070000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.7200000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7200000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4a11f01.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4a11f01.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4a11f01.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.7210000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.7210000.37.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4a32762.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4a32762.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4a32762.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.3.INQUIRY.exe.4cd22d1.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.3.INQUIRY.exe.4cd22d1.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.3.INQUIRY.exe.4cbdca6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.3.INQUIRY.exe.4cbdca6.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.INQUIRY.exe.30bcc8c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.INQUIRY.exe.30bcc8c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.341923328.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
    Source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: INQUIRY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.5a10000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.5a10000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.5a10000.21.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.71e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.71e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.71e0000.33.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c1c37e.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c1c37e.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c1c37e.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c0df4e.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c0df4e.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c0df4e.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4a11f01.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4a11f01.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4a11f01.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.7310000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.7250000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7250000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7250000.38.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7080000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7080000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7080000.31.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c1c37e.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c1c37e.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c1c37e.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.7050000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7050000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7050000.28.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7250000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7250000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7250000.38.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.721e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.721e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.721e8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.3120dcc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.7000000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7000000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7000000.26.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7040000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7040000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7040000.27.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7000000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7000000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7000000.26.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.3.INQUIRY.exe.4cbdca6.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.3.INQUIRY.exe.4cbdca6.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.3.INQUIRY.exe.4cbdca6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.3120dcc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.3120dcc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.3120dcc.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.3.INQUIRY.exe.4cd7cfd.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.INQUIRY.exe.7310000.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 12.2.INQUIRY.exe.7200000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7200000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7200000.34.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7214c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7214c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7214c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7050000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7050000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7050000.28.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.71d0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.71d0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.71d0000.32.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4a1e135.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4a1e135.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4a1e135.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c0511f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c0511f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c0511f.17.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7060000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7060000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7060000.29.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c0511f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c0511f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c0511f.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c0511f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.4a1e135.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4a1e135.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4a1e135.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.4c0df4e.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c0df4e.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c0df4e.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.7060000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7060000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7060000.29.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.3135408.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.3135408.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.3135408.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.3135408.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7210000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7210000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7210000.37.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.3114b84.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.3114b84.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.3114b84.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.71d0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.71d0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.71d0000.32.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.3114b84.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.3114b84.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.3114b84.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7080000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7080000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7080000.31.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.71e0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.71e0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.71e0000.33.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7070000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7070000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7070000.30.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.7200000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7200000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7200000.34.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4a11f01.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4a11f01.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4a11f01.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.7210000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.7210000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.7210000.37.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4a32762.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4a32762.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4a32762.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.3.INQUIRY.exe.4cd22d1.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.3.INQUIRY.exe.4cd22d1.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.3.INQUIRY.exe.4cbdca6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.3.INQUIRY.exe.4cbdca6.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.INQUIRY.exe.30bcc8c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.INQUIRY.exe.30bcc8c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.INQUIRY.exe.30bcc8c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.341923328.0000000007310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00EFE6F00_2_00EFE6F0
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00EFC2C40_2_00EFC2C4
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00EFE6E00_2_00EFE6E0
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0165E47112_2_0165E471
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0165E48012_2_0165E480
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0165BBD412_2_0165BBD4
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676864812_2_06768648
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_06767A4012_2_06767A40
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676871612_2_06768716
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074B06E812_2_074B06E8
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074B1C8812_2_074B1C88
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074B130012_2_074B1300
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074B333512_2_074B3335
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074B496012_2_074B4960
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074BB99012_2_074BB990
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074BB0C012_2_074BB0C0
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074B408012_2_074B4080
    Source: INQUIRY.exe, 00000000.00000002.341923328.0000000007310000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs INQUIRY.exe
    Source: INQUIRY.exe, 00000000.00000000.279835283.0000000000598000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCLRSurrogateEntryFiel.exe. vs INQUIRY.exe
    Source: INQUIRY.exe, 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000B.00000000.328910871.00000000004C8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCLRSurrogateEntryFiel.exe. vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000000.333920014.0000000000D28000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCLRSurrogateEntryFiel.exe. vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.551251249.000000000142A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000003.344482913.00000000014E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.558549491.00000000064D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs INQUIRY.exe
    Source: INQUIRY.exe, 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs INQUIRY.exe
    Source: INQUIRY.exeBinary or memory string: OriginalFilenameCLRSurrogateEntryFiel.exe. vs INQUIRY.exe
    Source: INQUIRY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: INQUIRY.exeReversingLabs: Detection: 34%
    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Users\user\Desktop\INQUIRY.exeJump to behavior
    Source: INQUIRY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe "C:\Users\user\Desktop\INQUIRY.exe"
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQUIRY.exe.logJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@15/1
    Source: 12.0.INQUIRY.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 12.0.INQUIRY.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fe56abb4-cb76-44f1-89b4-7bb11730ab9d}
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: INQUIRY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: INQUIRY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INQUIRY.exe, 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: INQUIRY.exe, 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Source: INQUIRY.exe, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.INQUIRY.exe.500000.0.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.INQUIRY.exe.500000.0.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 11.0.INQUIRY.exe.430000.3.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 11.0.INQUIRY.exe.430000.2.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 11.0.INQUIRY.exe.430000.1.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 11.0.INQUIRY.exe.430000.0.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 11.2.INQUIRY.exe.430000.0.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.c90000.2.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.c90000.11.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.c90000.13.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.INQUIRY.exe.c90000.9.unpack, Docary/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: INQUIRY.exe, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 0.2.INQUIRY.exe.500000.0.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 0.0.INQUIRY.exe.500000.0.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 11.0.INQUIRY.exe.430000.3.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 11.0.INQUIRY.exe.430000.2.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 11.0.INQUIRY.exe.430000.1.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 11.0.INQUIRY.exe.430000.0.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 11.2.INQUIRY.exe.430000.0.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 12.0.INQUIRY.exe.c90000.2.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 12.0.INQUIRY.exe.c90000.11.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 12.0.INQUIRY.exe.c90000.13.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: 12.0.INQUIRY.exe.c90000.9.unpack, Docary/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "436F6D70617269", "657064516F", "Docary" } }, null, null)
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_005099C1 push es; retf 0_2_005099C6
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00509747 push es; ret 0_2_0050997E
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00509870 push es; ret 0_2_0050997E
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0050997F push es; retf 0_2_00509984
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0050999E push es; ret 0_2_005099B4
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_005099B5 push es; ret 0_2_005099C0
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00508AB7 push es; ret 0_2_00508AB8
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00508AA9 push es; ret 0_2_00508AAA
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_004399C1 push es; retf 11_2_004399C6
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_00439747 push es; ret 11_2_0043997E
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_00439870 push es; ret 11_2_0043997E
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_0043997F push es; retf 11_2_00439984
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_0043999E push es; ret 11_2_004399B4
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_00438AA9 push es; ret 11_2_00438AAA
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_00438AB7 push es; ret 11_2_00438AB8
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 11_2_004399B5 push es; ret 11_2_004399C0
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C999C1 push es; retf 12_2_00C999C6
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C99747 push es; ret 12_2_00C9997E
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C9997F push es; retf 12_2_00C99984
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C99870 push es; ret 12_2_00C9997E
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C9999E push es; ret 12_2_00C999B4
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C98AA9 push es; ret 12_2_00C98AAA
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C999B5 push es; ret 12_2_00C999C0
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_00C98AB7 push es; ret 12_2_00C98AB8
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676F200 pushfd ; ret 12_2_0676F201
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676BC67 push es; retf 12_2_0676BC8C
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676BCFF push es; retf 12_2_0676BD24
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676BCC1 push es; retf 12_2_0676BCD8
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676BD4B push es; retf 12_2_0676BD70
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_0676BD97 push es; retf 12_2_0676BDBC
    Source: initial sampleStatic PE information: section name: .text entropy: 7.910170505
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 12.0.INQUIRY.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 12.0.INQUIRY.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 12.2.INQUIRY.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 12.0.INQUIRY.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 12.0.INQUIRY.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Users\user\Desktop\INQUIRY.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: Yara matchFile source: 00000000.00000002.338473165.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTR
    Source: INQUIRY.exe, 00000000.00000002.338473165.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: INQUIRY.exe, 00000000.00000002.338473165.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6464Thread sleep time: -45733s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6480Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 3764Thread sleep time: -16602069666338586s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeWindow / User API: threadDelayed 4343Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeWindow / User API: threadDelayed 5008Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeWindow / User API: foregroundWindowGot 741Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeWindow / User API: foregroundWindowGot 798Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 45733Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: INQUIRY.exe, 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: INQUIRY.exe, 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: INQUIRY.exe, 0000000C.00000002.551922740.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
    Source: INQUIRY.exe, 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
    Source: INQUIRY.exe, 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Users\user\Desktop\INQUIRY.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
    Source: INQUIRY.exe, 0000000C.00000002.558590256.000000000661B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager{^
    Source: INQUIRY.exe, 0000000C.00000002.560335746.0000000007AAC000.00000004.00000010.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.553887202.0000000003306000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.553580630.00000000031B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: INQUIRY.exe, 0000000C.00000002.560260438.000000000796C000.00000004.00000010.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.558624611.000000000675C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager
    Source: INQUIRY.exe, 0000000C.00000002.552364495.000000000161C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Managerd
    Source: INQUIRY.exe, 0000000C.00000002.553580630.00000000031B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
    Source: INQUIRY.exe, 0000000C.00000002.560398139.0000000007BEC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Users\user\Desktop\INQUIRY.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Users\user\Desktop\INQUIRY.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 12_2_074B23E8 GetSystemTimes,12_2_074B23E8
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: INQUIRY.exe, 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: INQUIRY.exe, 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: INQUIRY.exe, 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: INQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: INQUIRY.exe, 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: INQUIRY.exe, 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: INQUIRY.exe, 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: INQUIRY.exe, 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: INQUIRY.exe, 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: INQUIRY.exe, 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000003.344482913.00000000014E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: INQUIRY.exe, 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c9d871.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c94412.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40db12e.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6270000.23.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.6274629.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.0.INQUIRY.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b386a8.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a1b758.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40dff64.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4c99248.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b3ccd1.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.40e458d.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.3a4e178.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.INQUIRY.exe.39e6f38.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.INQUIRY.exe.4b33872.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6460, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 612, type: MEMORYSTR
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Windows Management Instrumentation
    Path Interception112
    Process Injection
    1
    Masquerading
    11
    Input Capture
    1
    System Time Discovery
    Remote Services11
    Input Capture
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools
    LSASS Memory111
    Security Software Discovery
    Remote Desktop Protocol11
    Archive Collected Data
    Exfiltration Over Bluetooth1
    Non-Standard Port
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion
    Security Account Manager2
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
    Process Injection
    NTDS21
    Virtualization/Sandbox Evasion
    Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information
    LSA Secrets1
    Application Window Discovery
    SSHKeyloggingData Transfer Size Limits21
    Application Layer Protocol
    Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories
    Cached Domain Credentials13
    System Information Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
    Obfuscated Files or Information
    DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job23
    Software Packing
    Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    INQUIRY.exe34%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
    INQUIRY.exe100%Joe Sandbox ML
    No Antivirus matches
    SourceDetectionScannerLabelLinkDownload
    12.0.INQUIRY.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    12.0.INQUIRY.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    12.2.INQUIRY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    12.0.INQUIRY.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    12.2.INQUIRY.exe.6270000.23.unpack100%AviraTR/NanoCore.fadteDownload File
    12.0.INQUIRY.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    12.0.INQUIRY.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    SourceDetectionScannerLabelLink
    deranano2.ddns.net4%VirustotalBrowse
    SourceDetectionScannerLabelLink
    0%Avira URL Cloudsafe
    http://www.carterandcone.comn-u0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.fontbureau.com2g6j0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cnn-u0%URL Reputationsafe
    http://www.fontbureau.comalic_gKj0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.fontbureau.commic0%Avira URL Cloudsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.carterandcone.com)0%Avira URL Cloudsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.fontbureau.comzgnj0%Avira URL Cloudsafe
    http://www.typography.net0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.tiro.coms~Jj0%Avira URL Cloudsafe
    http://www.fontbureau.comrsiv0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sajatypeworks.comivJ0%Avira URL Cloudsafe
    http://www.sandoll.co.krF0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.goodfont.co.krm0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.carterandcone.como.0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.carterandcone.coma0%URL Reputationsafe
    http://www.carterandcone.come0%URL Reputationsafe
    http://www.fontbureau.comasefHgPj0%Avira URL Cloudsafe
    http://www.carterandcone.comlt0%URL Reputationsafe
    http://www.carterandcone.comubhu0%Avira URL Cloudsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.typography.netF-l0%Avira URL Cloudsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.carterandcone.comm0%URL Reputationsafe
    http://www.carterandcone.comSm0%Avira URL Cloudsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.founder.com.cn/cn/0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    deranano2.ddns.net100%Avira URL Cloudmalware
    http://www.fontbureau.comsief$g0%Avira URL Cloudsafe
    http://www.goodfont.co.krti0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.fontbureau.comM.TTF0%URL Reputationsafe
    http://www.carterandcone.comTCk0%Avira URL Cloudsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    deranano2.ddns.net
    212.193.30.204
    truetrueunknown
    NameMaliciousAntivirus DetectionReputation
    true
    • Avira URL Cloud: safe
    low
    deranano2.ddns.nettrue
    • Avira URL Cloud: malware
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://www.fontbureau.com/designersGINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://www.carterandcone.comn-uINQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      unknown
      http://www.fontbureau.com/designers/?INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.founder.com.cn/cn/bTheINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        http://www.fontbureau.com2g6jINQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.zhongyicts.com.cnn-uINQUIRY.exe, 00000000.00000003.287359319.000000000585A000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        http://www.fontbureau.com/designers?INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.fontbureau.comalic_gKjINQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          low
          http://www.tiro.comINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.286776867.000000000585B000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          unknown
          http://www.fontbureau.com/designersINQUIRY.exe, 00000000.00000003.294312034.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.305535549.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.293291124.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296430840.000000000587D000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.fontbureau.commicINQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.goodfont.co.krINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://google.comINQUIRY.exe, 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, INQUIRY.exe, 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.carterandcone.comINQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.carterandcone.com)INQUIRY.exe, 00000000.00000003.287532861.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              low
              http://www.fontbureau.com/designerse;INQUIRY.exe, 00000000.00000003.296840214.000000000587D000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.sajatypeworks.comINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.283040731.000000000586B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.typography.netDINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.founder.com.cn/cn/cTheINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.galapagosdesign.com/staff/dennis.htmINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.300647485.000000000585C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://fontfabrik.comINQUIRY.exe, 00000000.00000003.284037827.0000000005854000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.283930415.0000000005853000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.283972688.0000000005854000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.284002706.0000000005854000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.comzgnjINQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.typography.netINQUIRY.exe, 00000000.00000003.284037827.0000000005854000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.galapagosdesign.com/DPleaseINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.tiro.coms~JjINQUIRY.exe, 00000000.00000003.286634503.0000000005857000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.286776867.000000000585B000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.fontbureau.comrsivINQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fonts.comINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.sandoll.co.krINQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.sajatypeworks.comivJINQUIRY.exe, 00000000.00000003.283040731.000000000586B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.sandoll.co.krFINQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.urwpp.deDPleaseINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.goodfont.co.krmINQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.zhongyicts.com.cnINQUIRY.exe, 00000000.00000003.287359319.000000000585A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINQUIRY.exe, 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.carterandcone.como.INQUIRY.exe, 00000000.00000003.287713459.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287760170.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287664520.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sakkal.comINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.carterandcone.comaINQUIRY.exe, 00000000.00000003.287844382.000000000585E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.apache.org/licenses/LICENSE-2.0INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.comINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designers1;INQUIRY.exe, 00000000.00000003.296168282.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296003647.000000000587D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.296236492.000000000587D000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.carterandcone.comeINQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287664520.000000000585E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comasefHgPjINQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.carterandcone.comltINQUIRY.exe, 00000000.00000003.287713459.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287844382.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287760170.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287664520.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.comubhuINQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.comaINQUIRY.exe, 00000000.00000003.335813867.0000000005850000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340369585.0000000005850000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.typography.netF-lINQUIRY.exe, 00000000.00000003.284037827.0000000005854000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.comdINQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.commINQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.comSmINQUIRY.exe, 00000000.00000003.287606118.000000000585E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.287569594.000000000585E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.carterandcone.comlINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cn/INQUIRY.exe, 00000000.00000003.286592453.0000000005855000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNINQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.founder.com.cn/cnINQUIRY.exe, 00000000.00000003.286330213.000000000588D000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000003.286407353.000000000588D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlINQUIRY.exe, 00000000.00000003.295209678.000000000588E000.00000004.00000800.00020000.00000000.sdmp, INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.fontbureau.comsief$gINQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://www.goodfont.co.krtiINQUIRY.exe, 00000000.00000003.286020085.0000000005853000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers8INQUIRY.exe, 00000000.00000002.340609425.0000000006A62000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.comM.TTFINQUIRY.exe, 00000000.00000003.296977604.0000000005852000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/INQUIRY.exe, 00000000.00000003.293079762.000000000587D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designersI;INQUIRY.exe, 00000000.00000003.305535549.000000000587D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.carterandcone.comTCkINQUIRY.exe, 00000000.00000003.287487840.000000000585D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    212.193.30.204
                                    deranano2.ddns.netRussian Federation
                                    57844SPD-NETTRtrue
                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:628367
                                    Start date and time: 17/05/202215:49:312022-05-17 15:49:31 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 12m 46s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:INQUIRY.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:26
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@5/5@15/1
                                    EGA Information:
                                    • Successful, ratio: 66.7%
                                    HDC Information:
                                    • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                    • Quality average: 59.2%
                                    • Quality standard deviation: 31.7%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 47
                                    • Number of non-executed functions: 1
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.35.237.194, 23.211.6.115
                                    • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, e16646.dscg.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com
                                    • Execution Graph export aborted for target INQUIRY.exe, PID 5844 because there are no executed function
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    TimeTypeDescription
                                    15:51:08API Interceptor810x Sleep call for process: INQUIRY.exe modified
                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    212.193.30.204Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exeGet hashmaliciousBrowse
                                      MARIAM HONAINE'S CV.exeGet hashmaliciousBrowse
                                        QUOTATION.exeGet hashmaliciousBrowse
                                          2020574185.exeGet hashmaliciousBrowse
                                            ORDER.exeGet hashmaliciousBrowse
                                              POP.exeGet hashmaliciousBrowse
                                                Bill Of Lading.exeGet hashmaliciousBrowse
                                                  900010225 CON.LUMES JAIPUR 05.02.2022.exeGet hashmaliciousBrowse
                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    deranano2.ddns.netCircular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    MARIAM HONAINE'S CV.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    QUOTATION.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    2020574185.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    ORDER.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    POP.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    Bill Of Lading.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    900010225 CON.LUMES JAIPUR 05.02.2022.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    FYI.exeGet hashmaliciousBrowse
                                                    • 194.31.98.18
                                                    FYI.exeGet hashmaliciousBrowse
                                                    • 194.31.98.18
                                                    VOLGOIL LLC SOFT CORPORATE OFFER VESSEL TO TANK.exeGet hashmaliciousBrowse
                                                    • 194.31.98.18
                                                    product specification and detailspdf.exeGet hashmaliciousBrowse
                                                    • 194.31.98.18
                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    SPD-NETTRE3387D3F62414FB262DA20E54D5775A647443B88CD8A0.exeGet hashmaliciousBrowse
                                                    • 212.193.30.29
                                                    E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exeGet hashmaliciousBrowse
                                                    • 212.193.30.29
                                                    Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    New Purchase Order 4522028497676.xlsxGet hashmaliciousBrowse
                                                    • 212.193.30.214
                                                    MARIAM HONAINE'S CV.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    QUOTATION.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    Resetter.exeGet hashmaliciousBrowse
                                                    • 212.193.30.29
                                                    SecuriteInfo.com.Trojan.PackedNET.331.26146.exeGet hashmaliciousBrowse
                                                    • 212.193.30.38
                                                    hdk8Z67C7x.exeGet hashmaliciousBrowse
                                                    • 212.193.30.29
                                                    CHANGE OF ACCOUNT RUSH TO DESK.exeGet hashmaliciousBrowse
                                                    • 212.193.30.101
                                                    2020574185.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    ORDER.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    ckc238HATk.exeGet hashmaliciousBrowse
                                                    • 212.193.30.45
                                                    ckc238HATk.exeGet hashmaliciousBrowse
                                                    • 212.193.30.45
                                                    TjDCLiM89x.exeGet hashmaliciousBrowse
                                                    • 212.193.30.45
                                                    POP.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    AFAC7896CF21983233C533EEAEC870610856969D98218.exeGet hashmaliciousBrowse
                                                    • 212.193.30.29
                                                    E4FB57012D7A31E6511C4BAC952323093E8BB51F13884.exeGet hashmaliciousBrowse
                                                    • 212.193.30.29
                                                    E2E7294A6FEE9EF6372897F3BEBFFB0D17BC31B9CF8C6.exeGet hashmaliciousBrowse
                                                    • 212.193.30.29
                                                    Bill Of Lading.exeGet hashmaliciousBrowse
                                                    • 212.193.30.204
                                                    No context
                                                    No context
                                                    Process:C:\Users\user\Desktop\INQUIRY.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1308
                                                    Entropy (8bit):5.345811588615766
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                                    MD5:EA78C102145ED608EF0E407B978AF339
                                                    SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                                    SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                                    SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                    Process:C:\Users\user\Desktop\INQUIRY.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):232
                                                    Entropy (8bit):7.024371743172393
                                                    Encrypted:false
                                                    SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                    MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                    SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                    SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                    SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                    Process:C:\Users\user\Desktop\INQUIRY.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:DQtn:DQt
                                                    MD5:08412FFEB47C1CF3F9CC9D7BB3C0A67A
                                                    SHA1:77A822119CD997E8754574F2B8841F6988816B72
                                                    SHA-256:D3FC762C9C7421ED69BEA8E3C37FBE7DFDCA502919398BB4E881DB37D52036FA
                                                    SHA-512:E29A5A426FEBBB249F021634EC426BCE43919BAE6D09B88996F54C160EC93379EE7C245738066D8FC3CC6013243C7CB092EA08EF77304A34F7B8C0A8F7BC7765
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview:....W8.H
                                                    Process:C:\Users\user\Desktop\INQUIRY.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):40
                                                    Entropy (8bit):5.153055907333276
                                                    Encrypted:false
                                                    SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                    MD5:4E5E92E2369688041CC82EF9650EDED2
                                                    SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                    SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                    SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:9iH...}Z.4..f.~a........~.~.......3.U.
                                                    Process:C:\Users\user\Desktop\INQUIRY.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):327432
                                                    Entropy (8bit):7.99938831605763
                                                    Encrypted:true
                                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.769513148901124
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                    File name:INQUIRY.exe
                                                    File size:638976
                                                    MD5:ae825520f1b4c679b80568d05f604c75
                                                    SHA1:76dbd18631e2007c65ea27e7b5ff2f130017c223
                                                    SHA256:cc1b297e38dc99d95d931c99c51582a6be2c7e713e9c4cfb3ad28476c3b685a8
                                                    SHA512:70577c5d172fd2073861b6f305249addf5fc7bfe285e9e30efffc4ab8d9119179c9b92bdb64137b7c6b6110cd0ac6b0e33688951203a34d7943b94237acd1e31
                                                    SSDEEP:12288:fCvNuR91X4HwQafBoxQ8exh2pVCQY1NJyhfUiOo7XVUASvfngDAR:wmXX4HwQafB/2pVCL1NJ4JOoz+fwDA
                                                    TLSH:8BD41242B7B5DBEAEEB45BFEA410141013B7E51F7856E3AC5EC560CB3A56B0046A0F23
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0..`...@.......l... ........@.. ... ....................... ........@................................
                                                    Icon Hash:00828e8e8686b000
                                                    Entrypoint:0x496cce
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x6282FCC1 [Tue May 17 01:39:13 2022 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add dword ptr [eax], eax
                                                    add byte ptr [eax], al
                                                    add al, byte ptr [eax]
                                                    add byte ptr [eax], al
                                                    add eax, dword ptr [eax]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x96c7c0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x3a0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x94ce40x96000False0.931482747396data7.910170505IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x980000x3a00x2000False0.050537109375data0.518392701245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x9a0000xc0x2000False0.0050048828125data0.00881485270734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x980580x344data
                                                    DLLImport
                                                    mscoree.dll_CorExeMain
                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2013
                                                    Assembly Version1.0.0.3
                                                    InternalNameCLRSurrogateEntryFiel.exe
                                                    FileVersion1.0.0.3
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameDocary
                                                    ProductVersion1.0.0.3
                                                    FileDescriptionDocary
                                                    OriginalFilenameCLRSurrogateEntryFiel.exe
                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    192.168.2.3212.193.30.2044975411872025019 05/17/22-15:51:20.051765TCP2025019ET TROJAN Possible NanoCore C2 60B497541187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975911872816766 05/17/22-15:51:49.922162TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497591187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044976211872816766 05/17/22-15:51:55.884728TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497621187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044982111872025019 05/17/22-15:52:49.271106TCP2025019ET TROJAN Possible NanoCore C2 60B498211187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044976911872816766 05/17/22-15:52:08.945021TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497691187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977211872816766 05/17/22-15:52:22.683460TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497721187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975611872816766 05/17/22-15:51:35.136378TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497561187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977111872816766 05/17/22-15:52:16.087791TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497711187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975811872816766 05/17/22-15:51:42.232466TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497581187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977111872025019 05/17/22-15:52:14.332940TCP2025019ET TROJAN Possible NanoCore C2 60B497711187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975511872025019 05/17/22-15:51:26.361440TCP2025019ET TROJAN Possible NanoCore C2 60B497551187192.168.2.3212.193.30.204
                                                    212.193.30.204192.168.2.31187497592810290 05/17/22-15:51:49.170097TCP2810290ETPRO TROJAN NanoCore RAT Keepalive Response 1118749759212.193.30.204192.168.2.3
                                                    192.168.2.3212.193.30.2044982711872025019 05/17/22-15:52:53.707374TCP2025019ET TROJAN Possible NanoCore C2 60B498271187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975511872816766 05/17/22-15:51:28.186816TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497551187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977711872816766 05/17/22-15:52:38.018804TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497771187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044976911872025019 05/17/22-15:52:07.767118TCP2025019ET TROJAN Possible NanoCore C2 60B497691187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977211872025019 05/17/22-15:52:21.314024TCP2025019ET TROJAN Possible NanoCore C2 60B497721187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975611872025019 05/17/22-15:51:33.850974TCP2025019ET TROJAN Possible NanoCore C2 60B497561187192.168.2.3212.193.30.204
                                                    212.193.30.204192.168.2.31187498212841753 05/17/22-15:52:49.302941TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749821212.193.30.204192.168.2.3
                                                    192.168.2.3212.193.30.2044975911872025019 05/17/22-15:51:48.671520TCP2025019ET TROJAN Possible NanoCore C2 60B497591187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044976211872025019 05/17/22-15:51:54.994564TCP2025019ET TROJAN Possible NanoCore C2 60B497621187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975911872816718 05/17/22-15:51:49.922162TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon497591187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977311872816766 05/17/22-15:52:28.816548TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497731187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044980011872025019 05/17/22-15:52:43.253756TCP2025019ET TROJAN Possible NanoCore C2 60B498001187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975411872816766 05/17/22-15:51:21.147618TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497541187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977311872025019 05/17/22-15:52:27.825250TCP2025019ET TROJAN Possible NanoCore C2 60B497731187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044976311872816766 05/17/22-15:52:01.984569TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497631187192.168.2.3212.193.30.204
                                                    212.193.30.204192.168.2.31187498002841753 05/17/22-15:52:43.290789TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749800212.193.30.204192.168.2.3
                                                    192.168.2.3212.193.30.2044982711872816766 05/17/22-15:52:56.191568TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498271187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044975811872025019 05/17/22-15:51:40.603505TCP2025019ET TROJAN Possible NanoCore C2 60B497581187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044980011872816766 05/17/22-15:52:43.389217TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498001187192.168.2.3212.193.30.204
                                                    212.193.30.204192.168.2.31187498272841753 05/17/22-15:53:08.771321TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749827212.193.30.204192.168.2.3
                                                    192.168.2.3212.193.30.2044976311872025019 05/17/22-15:52:01.044216TCP2025019ET TROJAN Possible NanoCore C2 60B497631187192.168.2.3212.193.30.204
                                                    192.168.2.3212.193.30.2044977711872025019 05/17/22-15:52:34.655294TCP2025019ET TROJAN Possible NanoCore C2 60B497771187192.168.2.3212.193.30.204
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 17, 2022 15:51:19.921251059 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:19.948354959 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:19.948501110 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.051764965 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.090178967 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.105407953 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.132707119 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.164134026 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.249525070 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.381922007 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.467721939 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.486305952 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.486347914 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.486372948 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.486397982 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.486407995 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.486443996 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.513437033 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513474941 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513501883 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513525009 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513531923 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.513547897 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513567924 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.513571024 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513593912 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513617992 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.513628006 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.513685942 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.540321112 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540359020 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540381908 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540405035 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540427923 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540447950 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540469885 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540505886 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.540518999 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540533066 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.540561914 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.540561914 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540585041 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540608883 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540631056 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540653944 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540663958 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.540677071 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.540678024 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540699959 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540723085 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.540724993 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.541712046 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.567606926 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567641973 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567667961 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567694902 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567728996 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567738056 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.567751884 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567775965 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567799091 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567821026 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.567831993 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567856073 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567867994 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.567878008 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567895889 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567919970 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567941904 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.567979097 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568001986 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568010092 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568033934 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568046093 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568058968 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568083048 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568121910 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568145990 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568166971 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568191051 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568192959 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568224907 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568249941 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568259001 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568273067 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568295956 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568319082 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568320990 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568341017 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568353891 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568397045 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.568424940 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568449974 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568473101 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.568502903 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595356941 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595386982 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595402002 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595418930 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595436096 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595453978 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595457077 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595470905 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595489025 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595499992 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595505953 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595523119 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595525980 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595539093 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595552921 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595556021 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595572948 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595586061 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595590115 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595607042 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595619917 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595622063 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595638990 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595640898 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595657110 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595674992 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595686913 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595691919 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595709085 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595717907 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595726013 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595741987 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595758915 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595771074 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595772982 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595788002 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595792055 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595804930 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595822096 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595827103 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595838070 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595849991 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595854998 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595870972 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595875025 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595886946 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595902920 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595918894 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595921040 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595937967 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595938921 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595952988 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595968962 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.595973015 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.595984936 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596000910 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596014023 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.596018076 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596034050 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596038103 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.596050024 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596067905 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596082926 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596090078 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.596100092 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596116066 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596126080 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.596131086 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.596148014 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.596189022 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.632746935 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632786989 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632812023 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632837057 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632862091 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632889032 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632895947 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.632914066 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632936001 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.632941008 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632956982 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.632966995 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.632986069 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633011103 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633012056 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633034945 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633034945 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633060932 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633074045 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633085012 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633110046 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633133888 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633136988 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633158922 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633172035 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633182049 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633204937 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633224964 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633248091 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633249044 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633271933 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633280993 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633313894 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633323908 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633335114 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633356094 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633378029 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633382082 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633399010 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633419991 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633440018 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633441925 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633460999 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633462906 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633483887 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633505106 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633506060 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633527994 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633548021 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633569002 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633569002 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633589983 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633600950 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633610964 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633632898 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633645058 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633660078 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633676052 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633682013 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633703947 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633723974 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633724928 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633744955 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633784056 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633786917 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633809090 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633826971 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633831024 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633852959 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633874893 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.633877039 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.633924961 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.660979033 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661005020 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661021948 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661040068 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661057949 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661070108 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661082983 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661087990 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661094904 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661111116 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661128998 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661134005 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661140919 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661155939 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661171913 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661183119 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661187887 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661205053 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661206007 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661221981 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661238909 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661245108 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661257029 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661273956 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661278963 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661290884 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661298990 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661309958 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661326885 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661345005 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661362886 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661377907 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661382914 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661395073 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661411047 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661420107 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661427021 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661442995 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661453962 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661459923 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661477089 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661484957 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661494017 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661509991 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661515951 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661526918 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661544085 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661550045 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661560059 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661576986 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661582947 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661592960 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661611080 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661614895 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661628962 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661643982 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661648035 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661660910 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661676884 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661681890 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661693096 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661709070 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661715984 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661731005 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661746025 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661750078 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661762953 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661778927 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.661782980 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.661823034 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.688704967 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688731909 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688745022 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688756943 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688769102 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688785076 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688828945 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688848019 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688864946 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688882113 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688905954 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.688911915 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688929081 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688944101 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688961983 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688965082 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.688977957 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.688990116 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.688996077 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689012051 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689024925 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689029932 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689047098 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689058065 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689062119 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689074039 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689079046 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689095974 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689110041 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689110994 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689129114 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689143896 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689151049 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689171076 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689187050 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689203024 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689203024 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689218998 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689225912 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689234972 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689246893 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689251900 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689268112 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689282894 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689285994 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689301968 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689312935 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689316988 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689335108 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689346075 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689351082 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689367056 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689383984 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689399004 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689405918 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689415932 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689425945 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689433098 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689449072 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689455032 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689466000 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689481974 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689497948 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689498901 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689515114 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689522982 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689529896 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689546108 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689553022 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689560890 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689573050 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689577103 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689604998 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689609051 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689625978 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689640999 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689657927 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689665079 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689676046 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689692974 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689697981 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689709902 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689726114 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689733028 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689743042 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689754963 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689759970 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689775944 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689779997 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689791918 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689809084 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689831972 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689838886 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689855099 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:20.689861059 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:20.689896107 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:21.147618055 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:21.217714071 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:22.000947952 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:22.092950106 CEST118749754212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:22.147689104 CEST497541187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:26.333738089 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:26.360678911 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:26.360833883 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:26.361439943 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:26.400829077 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:26.443834066 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:26.468631983 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:26.496567011 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:26.631386995 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:27.123311043 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:27.202151060 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:27.782495022 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:27.858764887 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:27.986277103 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:28.037731886 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:28.064656973 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:28.186815977 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:28.264645100 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:28.264743090 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:28.342784882 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:28.342876911 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:28.370145082 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:28.370328903 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:28.397666931 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:28.425004005 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:28.514662027 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:28.514728069 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:28.625519991 CEST118749755212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:29.580466986 CEST497551187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:33.803085089 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:33.830038071 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:33.830720901 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:33.850974083 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:33.891064882 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:33.909100056 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:33.936729908 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:33.991336107 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:34.139559031 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:34.234472990 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:34.234611988 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:34.311506987 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:34.424983978 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:34.426434040 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:34.453547955 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:34.455013037 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:34.482604980 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:34.482810020 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:34.510324955 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:34.533303022 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:34.608305931 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:35.136378050 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:35.217710972 CEST118749756212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:36.133133888 CEST497561187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:40.575699091 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:40.602919102 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:40.603019953 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:40.603504896 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:40.651937962 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:40.653151035 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:40.680583954 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:40.726284981 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:40.876713991 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:40.949981928 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:41.031122923 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:41.032408953 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:41.059500933 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:41.060540915 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:41.087927103 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:41.088082075 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:41.115660906 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:41.115895033 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:41.199420929 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:41.259083986 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:41.339761019 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:42.232465982 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:42.324285984 CEST118749758212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:44.545646906 CEST497581187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:48.640455961 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:48.667546988 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:48.670272112 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:48.671519995 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:48.724174976 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:48.724684000 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:48.752145052 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:48.805088043 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:48.884443998 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:48.965193033 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:48.965270042 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:49.042820930 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:49.170097113 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:49.171333075 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:49.201179981 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:49.206528902 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:49.235112906 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:49.235230923 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:49.262942076 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:49.305104017 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:49.409130096 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:49.496568918 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:49.922162056 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:49.996721983 CEST118749759212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:50.884255886 CEST497591187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:54.965797901 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:54.992675066 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:54.993765116 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:54.994564056 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.044218063 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.044504881 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.071762085 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.118103981 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.435117006 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.511459112 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.596245050 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.607110977 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.634036064 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.637348890 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.666091919 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.666169882 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.693464041 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.743309975 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.773577929 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.856661081 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:55.884727955 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:51:55.964582920 CEST118749762212.193.30.204192.168.2.3
                                                    May 17, 2022 15:51:56.948152065 CEST497621187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.016765118 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.043611050 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.043700933 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.044215918 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.084001064 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.085355043 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.112695932 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.212440014 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.599973917 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.683279037 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.801814079 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.804879904 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.831732988 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.833070993 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.860066891 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.860409021 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:01.888267994 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:01.984569073 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:02.058490038 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:02.475441933 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:02.559396029 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:02.730674028 CEST118749763212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:02.806279898 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:02.931735992 CEST497631187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:07.739681959 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:07.766504049 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:07.766612053 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:07.767117977 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:07.808722019 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:07.808993101 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:07.836214066 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:07.916143894 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:07.955483913 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:08.027101040 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:08.945020914 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:09.027025938 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:09.265336037 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:09.339627028 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:09.436588049 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:09.437621117 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:09.464626074 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:09.472923994 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:09.500567913 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:09.500655890 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:09.527931929 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:09.582365036 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:09.667670012 CEST118749769212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:09.948131084 CEST497691187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.305036068 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.332293034 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:14.332433939 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.332940102 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.375855923 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:14.376125097 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.403614998 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:14.448211908 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.599459887 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.683461905 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:14.797697067 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:14.838519096 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.860517979 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.866628885 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:14.916692019 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:14.949407101 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:14.949505091 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:15.229264021 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:15.257375002 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:15.257596016 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:15.278309107 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:15.278491974 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:16.087790966 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:16.167857885 CEST118749771212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:17.172197104 CEST497711187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.283224106 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.313172102 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.313302994 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.314023972 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.353715897 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.354144096 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.381809950 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.495381117 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.575304985 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.652230024 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.661472082 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.745975018 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.765571117 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.766508102 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.793839931 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.795584917 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.823190928 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.823390961 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.852154016 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:21.852305889 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:21.933639050 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:22.683459997 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:22.762710094 CEST118749772212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:23.715667009 CEST497721187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:27.796297073 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:27.823255062 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:27.824623108 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:27.825249910 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:27.870884895 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:27.871529102 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:27.902149916 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:27.949908972 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.106216908 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.183309078 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:28.279572010 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:28.324085951 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.350934982 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:28.402208090 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.415584087 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.496134996 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:28.545948029 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.573174000 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:28.573368073 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.600718021 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:28.652261972 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.675853968 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.761353016 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:28.816548109 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:28.902012110 CEST118749773212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:30.005460024 CEST497731187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:34.579056025 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:34.606206894 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:34.606337070 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:34.655293941 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:34.699331999 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:34.713958979 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:34.741209030 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:34.871479034 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:35.440411091 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:35.527225018 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:35.570705891 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:35.652154922 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:35.776386976 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:35.824246883 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:35.851279974 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:35.867599010 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:35.895093918 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:35.981010914 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:36.478856087 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:36.506294966 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:36.584364891 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:36.677131891 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:36.690340996 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:36.786242962 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:38.018804073 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:38.114866018 CEST118749777212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:39.061506987 CEST497771187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.225935936 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.253083944 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:43.253247023 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.253756046 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.290788889 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:43.372283936 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.389216900 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.400521994 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:43.400648117 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.474008083 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:43.474101067 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:43.501724958 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:43.684758902 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:44.006223917 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:44.083395004 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:44.202245951 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:44.203210115 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:44.233072996 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:44.234337091 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:44.261641979 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:44.261750937 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:44.289272070 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:44.289362907 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:44.379991055 CEST118749800212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:44.419584990 CEST498001187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:49.239154100 CEST498211187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:49.266068935 CEST118749821212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:49.270318031 CEST498211187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:49.271106005 CEST498211187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:49.302941084 CEST118749821212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:49.357193947 CEST498211187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:49.384460926 CEST118749821212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:49.385343075 CEST498211187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:49.412894011 CEST118749821212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:49.466516018 CEST498211187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:49.570382118 CEST498211187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:53.676153898 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:53.703295946 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:53.703454971 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:53.707374096 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:53.763737917 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:53.775154114 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:53.803260088 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:53.850548029 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:54.256728888 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:54.333199024 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:54.444968939 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:54.498254061 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:54.525336981 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:54.576472044 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:55.151376963 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:55.239384890 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:55.239455938 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:55.320252895 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:55.320573092 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:55.347820997 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:55.389178038 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:55.417036057 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:55.477736950 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:56.191567898 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:56.270569086 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:58.740190029 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:58.873723984 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:52:59.448827028 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:52:59.686146021 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:53:03.755650043 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:53:03.874556065 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:53:07.537178040 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:53:07.591623068 CEST498271187192.168.2.3212.193.30.204
                                                    May 17, 2022 15:53:08.771321058 CEST118749827212.193.30.204192.168.2.3
                                                    May 17, 2022 15:53:08.834973097 CEST498271187192.168.2.3212.193.30.204
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 17, 2022 15:51:19.889846087 CEST6535853192.168.2.38.8.8.8
                                                    May 17, 2022 15:51:19.910933018 CEST53653588.8.8.8192.168.2.3
                                                    May 17, 2022 15:51:26.197536945 CEST4987353192.168.2.38.8.8.8
                                                    May 17, 2022 15:51:26.216768980 CEST53498738.8.8.8192.168.2.3
                                                    May 17, 2022 15:51:33.780536890 CEST5380253192.168.2.38.8.8.8
                                                    May 17, 2022 15:51:33.801606894 CEST53538028.8.8.8192.168.2.3
                                                    May 17, 2022 15:51:40.552333117 CEST6333253192.168.2.38.8.8.8
                                                    May 17, 2022 15:51:40.574052095 CEST53633328.8.8.8192.168.2.3
                                                    May 17, 2022 15:51:48.617016077 CEST6354853192.168.2.38.8.8.8
                                                    May 17, 2022 15:51:48.638459921 CEST53635488.8.8.8192.168.2.3
                                                    May 17, 2022 15:51:54.945066929 CEST5139153192.168.2.38.8.8.8
                                                    May 17, 2022 15:51:54.964667082 CEST53513918.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:00.997999907 CEST5898153192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:01.015575886 CEST53589818.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:07.683052063 CEST6138053192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:07.700356960 CEST53613808.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:14.284178972 CEST6314653192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:14.303972960 CEST53631468.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:21.262588024 CEST5298553192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:21.282018900 CEST53529858.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:27.775742054 CEST5862553192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:27.795073032 CEST53586258.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:34.533018112 CEST5979553192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:34.552879095 CEST53597958.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:43.147732019 CEST4972353192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:43.166595936 CEST53497238.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:49.216186047 CEST5540353192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:49.237298012 CEST53554038.8.8.8192.168.2.3
                                                    May 17, 2022 15:52:53.654002905 CEST5060853192.168.2.38.8.8.8
                                                    May 17, 2022 15:52:53.674972057 CEST53506088.8.8.8192.168.2.3
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    May 17, 2022 15:51:19.889846087 CEST192.168.2.38.8.8.80x5611Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:26.197536945 CEST192.168.2.38.8.8.80x4428Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:33.780536890 CEST192.168.2.38.8.8.80x760fStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:40.552333117 CEST192.168.2.38.8.8.80xdef1Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:48.617016077 CEST192.168.2.38.8.8.80x99dfStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:54.945066929 CEST192.168.2.38.8.8.80x151bStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:00.997999907 CEST192.168.2.38.8.8.80xeaccStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:07.683052063 CEST192.168.2.38.8.8.80xd86dStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:14.284178972 CEST192.168.2.38.8.8.80xf16bStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:21.262588024 CEST192.168.2.38.8.8.80x1fcStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:27.775742054 CEST192.168.2.38.8.8.80xe951Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:34.533018112 CEST192.168.2.38.8.8.80x252Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:43.147732019 CEST192.168.2.38.8.8.80xaa56Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:49.216186047 CEST192.168.2.38.8.8.80x9615Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:53.654002905 CEST192.168.2.38.8.8.80x70dbStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    May 17, 2022 15:51:19.910933018 CEST8.8.8.8192.168.2.30x5611No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:26.216768980 CEST8.8.8.8192.168.2.30x4428No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:33.801606894 CEST8.8.8.8192.168.2.30x760fNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:40.574052095 CEST8.8.8.8192.168.2.30xdef1No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:48.638459921 CEST8.8.8.8192.168.2.30x99dfNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:51:54.964667082 CEST8.8.8.8192.168.2.30x151bNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:01.015575886 CEST8.8.8.8192.168.2.30xeaccNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:07.700356960 CEST8.8.8.8192.168.2.30xd86dNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:14.303972960 CEST8.8.8.8192.168.2.30xf16bNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:21.282018900 CEST8.8.8.8192.168.2.30x1fcNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:27.795073032 CEST8.8.8.8192.168.2.30xe951No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:34.552879095 CEST8.8.8.8192.168.2.30x252No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:43.166595936 CEST8.8.8.8192.168.2.30xaa56No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:49.237298012 CEST8.8.8.8192.168.2.30x9615No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                    May 17, 2022 15:52:53.674972057 CEST8.8.8.8192.168.2.30x70dbNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)

                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:15:50:49
                                                    Start date:17/05/2022
                                                    Path:C:\Users\user\Desktop\INQUIRY.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\INQUIRY.exe"
                                                    Imagebase:0x500000
                                                    File size:638976 bytes
                                                    MD5 hash:AE825520F1B4C679B80568D05F604C75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.341923328.0000000007310000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.338473165.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.337691628.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.338895835.00000000039E6000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Target ID:11
                                                    Start time:15:51:11
                                                    Start date:17/05/2022
                                                    Path:C:\Users\user\Desktop\INQUIRY.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                    Imagebase:0x430000
                                                    File size:638976 bytes
                                                    MD5 hash:AE825520F1B4C679B80568D05F604C75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Target ID:12
                                                    Start time:15:51:12
                                                    Start date:17/05/2022
                                                    Path:C:\Users\user\Desktop\INQUIRY.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                    Imagebase:0xc90000
                                                    File size:638976 bytes
                                                    MD5 hash:AE825520F1B4C679B80568D05F604C75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.333650932.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.332760680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559682076.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559737765.00000000071D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.553109451.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559661300.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.553287230.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.555355662.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559842281.0000000007250000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.557972444.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.555456198.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559697736.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.558223361.0000000006270000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559607626.0000000007050000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.556529236.0000000004C94000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.549595882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559784348.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.332315279.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559353476.0000000007000000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.555067915.0000000004962000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559560462.0000000007040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000000.333157472.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.554657887.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559751834.00000000071E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.532123583.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559800061.0000000007210000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000C.00000002.559298481.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:11.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:113
                                                      Total number of Limit Nodes:9
                                                      execution_graph 14010 ef40d0 14011 ef40e2 14010->14011 14012 ef40ee 14011->14012 14016 ef41e0 14011->14016 14021 ef3868 14012->14021 14014 ef410d 14017 ef4205 14016->14017 14025 ef42e0 14017->14025 14029 ef42d0 14017->14029 14022 ef3873 14021->14022 14037 ef586c 14022->14037 14024 ef6a31 14024->14014 14027 ef4307 14025->14027 14026 ef43e4 14026->14026 14027->14026 14033 ef38a8 14027->14033 14030 ef4307 14029->14030 14031 ef38a8 CreateActCtxA 14030->14031 14032 ef43e4 14030->14032 14031->14032 14034 ef5370 CreateActCtxA 14033->14034 14036 ef5433 14034->14036 14038 ef5877 14037->14038 14041 ef588c 14038->14041 14040 ef6bc5 14040->14024 14042 ef5897 14041->14042 14045 ef58bc 14042->14045 14044 ef6ca2 14044->14040 14046 ef58c7 14045->14046 14049 ef58ec 14046->14049 14048 ef6da2 14048->14044 14050 ef58f7 14049->14050 14052 ef74be 14050->14052 14057 ef941f 14050->14057 14061 ef9430 14050->14061 14051 ef74fc 14051->14048 14052->14051 14065 efb548 14052->14065 14071 efb544 14052->14071 14058 ef943f 14057->14058 14077 ef9519 14057->14077 14085 ef9528 14057->14085 14058->14052 14063 ef9519 2 API calls 14061->14063 14064 ef9528 2 API calls 14061->14064 14062 ef943f 14062->14052 14063->14062 14064->14062 14066 efb569 14065->14066 14067 efb58d 14066->14067 14105 efb6f8 14066->14105 14109 efb6b5 14066->14109 14114 efb6f7 14066->14114 14067->14051 14072 efb569 14071->14072 14073 efb58d 14072->14073 14074 efb6f8 3 API calls 14072->14074 14075 efb6f7 3 API calls 14072->14075 14076 efb6b5 3 API calls 14072->14076 14073->14051 14074->14073 14075->14073 14076->14073 14078 ef953b 14077->14078 14079 ef9553 14078->14079 14093 ef97a1 14078->14093 14097 ef97b0 14078->14097 14079->14058 14080 ef954b 14080->14079 14081 ef9750 GetModuleHandleW 14080->14081 14082 ef977d 14081->14082 14082->14058 14086 ef953b 14085->14086 14087 ef9553 14086->14087 14091 ef97a1 LoadLibraryExW 14086->14091 14092 ef97b0 LoadLibraryExW 14086->14092 14087->14058 14088 ef954b 14088->14087 14089 ef9750 GetModuleHandleW 14088->14089 14090 ef977d 14089->14090 14090->14058 14091->14088 14092->14088 14094 ef97c4 14093->14094 14095 ef97e9 14094->14095 14101 ef8858 14094->14101 14095->14080 14098 ef97c4 14097->14098 14099 ef8858 LoadLibraryExW 14098->14099 14100 ef97e9 14098->14100 14099->14100 14100->14080 14102 ef9990 LoadLibraryExW 14101->14102 14104 ef9a09 14102->14104 14104->14095 14106 efb705 14105->14106 14107 efb73f 14106->14107 14118 efa1dc 14106->14118 14107->14067 14110 efb6cb 14109->14110 14111 efb713 14109->14111 14110->14067 14112 efb73f 14111->14112 14113 efa1dc 3 API calls 14111->14113 14112->14067 14113->14112 14115 efb705 14114->14115 14116 efb73f 14115->14116 14117 efa1dc 3 API calls 14115->14117 14116->14067 14117->14116 14119 efa1e7 14118->14119 14121 efc438 14119->14121 14122 efbff8 14119->14122 14123 efc003 14122->14123 14124 ef58ec 3 API calls 14123->14124 14125 efc4a7 14124->14125 14129 efe228 14125->14129 14135 efe210 14125->14135 14126 efc4e0 14126->14121 14131 efe2a5 14129->14131 14132 efe259 14129->14132 14130 efe265 14130->14126 14131->14126 14132->14130 14133 efe699 LoadLibraryExW GetModuleHandleW 14132->14133 14134 efe6a8 LoadLibraryExW GetModuleHandleW 14132->14134 14133->14131 14134->14131 14136 efe2a5 14135->14136 14138 efe259 14135->14138 14136->14126 14137 efe265 14137->14126 14138->14137 14139 efe699 LoadLibraryExW GetModuleHandleW 14138->14139 14140 efe6a8 LoadLibraryExW GetModuleHandleW 14138->14140 14139->14136 14140->14136 14141 efb810 14142 efb876 14141->14142 14146 efb9c1 14142->14146 14149 efb9d0 14142->14149 14143 efb925 14152 efa264 14146->14152 14150 efb9fe 14149->14150 14151 efa264 DuplicateHandle 14149->14151 14150->14143 14151->14150 14153 efba38 DuplicateHandle 14152->14153 14154 efb9fe 14153->14154 14154->14143
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6ea2d4e968e4e7dbc6d4edef5651c95924d6c89c8d82019370c746163173274
                                                      • Instruction ID: 7e20ece30e265dc98a8ea4c1d1082dc5b68ae3d31ef299aa6d626a115bbfb9ab
                                                      • Opcode Fuzzy Hash: e6ea2d4e968e4e7dbc6d4edef5651c95924d6c89c8d82019370c746163173274
                                                      • Instruction Fuzzy Hash: 4D12B3F1495F4ACAD710CF65EC981C93BA1FBD5B28B92C309D2611AAF0D7B8114AEF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3532b328c12f22314ae455651c5b06da1caeb9e26e9aca39b76f8f3fa2eefc71
                                                      • Instruction ID: 0b58e2b4f989e635867c018125ba4aa35437c82a6b792a0538b7a19e82217ac5
                                                      • Opcode Fuzzy Hash: 3532b328c12f22314ae455651c5b06da1caeb9e26e9aca39b76f8f3fa2eefc71
                                                      • Instruction Fuzzy Hash: 59C138B1851B4ACBD710CF65EC881C97B71FBD5B28F568308D1616B6E0D7B8504AEF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 37 ef9528-ef953d call ef7214 40 ef953f 37->40 41 ef9553-ef9557 37->41 91 ef9545 call ef97a1 40->91 92 ef9545 call ef97b0 40->92 42 ef956b-ef95ac 41->42 43 ef9559-ef9563 41->43 48 ef95ae-ef95b6 42->48 49 ef95b9-ef95c7 42->49 43->42 44 ef954b-ef954d 44->41 46 ef9688-ef9748 44->46 86 ef974a-ef974d 46->86 87 ef9750-ef977b GetModuleHandleW 46->87 48->49 51 ef95eb-ef95ed 49->51 52 ef95c9-ef95ce 49->52 55 ef95f0-ef95f7 51->55 53 ef95d9 52->53 54 ef95d0-ef95d7 call ef87fc 52->54 58 ef95db-ef95e9 53->58 54->58 59 ef95f9-ef9601 55->59 60 ef9604-ef960b 55->60 58->55 59->60 61 ef960d-ef9615 60->61 62 ef9618-ef9621 call ef880c 60->62 61->62 67 ef962e-ef9633 62->67 68 ef9623-ef962b 62->68 70 ef9635-ef963c 67->70 71 ef9651-ef965e 67->71 68->67 70->71 72 ef963e-ef964e call ef881c call ef882c 70->72 78 ef9681-ef9687 71->78 79 ef9660-ef967e 71->79 72->71 79->78 86->87 88 ef977d-ef9783 87->88 89 ef9784-ef9798 87->89 88->89 91->44 92->44
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00EF976E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID: vT]
                                                      • API String ID: 4139908857-2955845773
                                                      • Opcode ID: 7501c0daba3a4e762451459e86af9363ba54ee3ab080c6fdcad53e87c160d63a
                                                      • Instruction ID: 70c70913d1e0d15f92a0dda44c1f8b763a17271b3499af9be79727bbbc65dde7
                                                      • Opcode Fuzzy Hash: 7501c0daba3a4e762451459e86af9363ba54ee3ab080c6fdcad53e87c160d63a
                                                      • Instruction Fuzzy Hash: 4D710670A00B098FD724DF29D15176AB7F1BF88308F00892ED59AE7A51DB74E945CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 93 ef38a8-ef5431 CreateActCtxA 96 ef543a-ef5494 93->96 97 ef5433-ef5439 93->97 104 ef5496-ef5499 96->104 105 ef54a3-ef54a7 96->105 97->96 104->105 106 ef54a9-ef54b5 105->106 107 ef54b8 105->107 106->107 109 ef54b9 107->109 109->109
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00EF5421
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID: vT]
                                                      • API String ID: 2289755597-2955845773
                                                      • Opcode ID: 5a76ca62f96d19a58ee4d1ddb7d01b9a85e0aa23a3b27d477b4eee5d44284b8d
                                                      • Instruction ID: 7c92e5d2ae87b1f07a252eb231db3f81c0ef812bc4eb95da7d4db8a3febd3194
                                                      • Opcode Fuzzy Hash: 5a76ca62f96d19a58ee4d1ddb7d01b9a85e0aa23a3b27d477b4eee5d44284b8d
                                                      • Instruction Fuzzy Hash: 55411271C0462CCBDB24DFA9C8447DEBBB1BF58308F218069D619BB250DBB56989CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 110 ef536f-ef5431 CreateActCtxA 112 ef543a-ef5494 110->112 113 ef5433-ef5439 110->113 120 ef5496-ef5499 112->120 121 ef54a3-ef54a7 112->121 113->112 120->121 122 ef54a9-ef54b5 121->122 123 ef54b8 121->123 122->123 125 ef54b9 123->125 125->125
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00EF5421
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID: vT]
                                                      • API String ID: 2289755597-2955845773
                                                      • Opcode ID: 61feb6ea85e45320a08007feca95a8d9028e84fea601e4d90e6e547dc39ba35c
                                                      • Instruction ID: 661e1831e620de221ba5c4742be1cfb27d276e1053c87a26212ed46ab3d9a9e1
                                                      • Opcode Fuzzy Hash: 61feb6ea85e45320a08007feca95a8d9028e84fea601e4d90e6e547dc39ba35c
                                                      • Instruction Fuzzy Hash: F341E171C0462CCBDB24DFA9C8847DEBBB1BF58308F218069D519BB251DB75698ACF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 126 efa264-efbacc DuplicateHandle 128 efbace-efbad4 126->128 129 efbad5-efbaf2 126->129 128->129
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EFB9FE,?,?,?,?,?), ref: 00EFBABF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID: vT]
                                                      • API String ID: 3793708945-2955845773
                                                      • Opcode ID: 310faa867fb1756b503ef2e5de00b1974b91c7a6105a79c9f8525f25f5b80dce
                                                      • Instruction ID: 702cbd79a9b3584b74df3956060c7db3025b3bc52f71c91289462a775c9d5b3b
                                                      • Opcode Fuzzy Hash: 310faa867fb1756b503ef2e5de00b1974b91c7a6105a79c9f8525f25f5b80dce
                                                      • Instruction Fuzzy Hash: F921E0B5D04248AFDB10CFA9D984AEEBBF8EB48324F14845AE915B3310D374A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 132 efba30-efbacc DuplicateHandle 133 efbace-efbad4 132->133 134 efbad5-efbaf2 132->134 133->134
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EFB9FE,?,?,?,?,?), ref: 00EFBABF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID: vT]
                                                      • API String ID: 3793708945-2955845773
                                                      • Opcode ID: 3e2270e6a61416e23c2e078328618e7aa567ed5cb2171e0e111207bb417c6827
                                                      • Instruction ID: 3c60c1de4535cdd9ec9c6295a51991831e1783dbf29cf0e3e62e7d2ebb7e90bf
                                                      • Opcode Fuzzy Hash: 3e2270e6a61416e23c2e078328618e7aa567ed5cb2171e0e111207bb417c6827
                                                      • Instruction Fuzzy Hash: B921E0B5D042489FDB10CFA9D984AEEBBF5FB48324F14841AE955A3310D374A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 137 ef8858-ef99d0 139 ef99d8-ef9a07 LoadLibraryExW 137->139 140 ef99d2-ef99d5 137->140 141 ef9a09-ef9a0f 139->141 142 ef9a10-ef9a2d 139->142 140->139 141->142
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EF97E9,00000800,00000000,00000000), ref: 00EF99FA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: vT]
                                                      • API String ID: 1029625771-2955845773
                                                      • Opcode ID: d8badafb015b94bb8626df08f4e40ed36b6c30d39ba599a8a114b065071a678c
                                                      • Instruction ID: 8e004ad457aa5b29c8f5fcbfe0694d961865089a1a38801fa60f089df276178b
                                                      • Opcode Fuzzy Hash: d8badafb015b94bb8626df08f4e40ed36b6c30d39ba599a8a114b065071a678c
                                                      • Instruction Fuzzy Hash: 1711F2B29042489BDB10CF9AD444BEEFBF4AB88324F15842EE559B7201C3B5A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 145 ef9988-ef99d0 146 ef99d8-ef9a07 LoadLibraryExW 145->146 147 ef99d2-ef99d5 145->147 148 ef9a09-ef9a0f 146->148 149 ef9a10-ef9a2d 146->149 147->146 148->149
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EF97E9,00000800,00000000,00000000), ref: 00EF99FA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID: vT]
                                                      • API String ID: 1029625771-2955845773
                                                      • Opcode ID: dfae11e5aca62019eb6175ba3fff5bea9496d25bdfd5b1fe834fb80adaaa491f
                                                      • Instruction ID: c0481a292e212e652620874357296284f88c8fd4972544de2993d9aa75a56b82
                                                      • Opcode Fuzzy Hash: dfae11e5aca62019eb6175ba3fff5bea9496d25bdfd5b1fe834fb80adaaa491f
                                                      • Instruction Fuzzy Hash: F11112B6D002098FCB14CFA9D584BEEFBF5AB88324F15842ED555B7200C374A985CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 152 ef9708-ef9748 153 ef974a-ef974d 152->153 154 ef9750-ef977b GetModuleHandleW 152->154 153->154 155 ef977d-ef9783 154->155 156 ef9784-ef9798 154->156 155->156
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00EF976E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID: vT]
                                                      • API String ID: 4139908857-2955845773
                                                      • Opcode ID: b574c0fa0eb18b23740ac2dec51445a27e38f5c800ff1c8a985739da9aed5619
                                                      • Instruction ID: 981d95c26f3712575f08ac5159c74faf40d4ae84041ca170dae4fef3bb2192f6
                                                      • Opcode Fuzzy Hash: b574c0fa0eb18b23740ac2dec51445a27e38f5c800ff1c8a985739da9aed5619
                                                      • Instruction Fuzzy Hash: D8110FB5C003498FCB10CF9AC444BDEFBF5AB88324F14841AD969B7600C378A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337013269.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d3d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5189064291196ae568ea6d508351876a2986355553f7f386f4ef25a4a40495b1
                                                      • Instruction ID: d485a458c7d992687a488a4ca9e569bef6661e9ac12ffc10352dc72565050188
                                                      • Opcode Fuzzy Hash: 5189064291196ae568ea6d508351876a2986355553f7f386f4ef25a4a40495b1
                                                      • Instruction Fuzzy Hash: 2321F5B2504244DFDB05DF14E9C0B26BF66FB88328F288569E9454B246C336D856CBB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337053941.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d4d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c25f4419430b0742a8b3f4c4216b48b6e4c94892fa1dcdc0a89e96a181b83ed
                                                      • Instruction ID: c79fd48fcbee8cbcd7b23bd3fd03a0c56b0b00786b95346f70c9f02bf586d7cb
                                                      • Opcode Fuzzy Hash: 9c25f4419430b0742a8b3f4c4216b48b6e4c94892fa1dcdc0a89e96a181b83ed
                                                      • Instruction Fuzzy Hash: 652107B1904244EFDB01CF10D9C0B26BBA6FB84318F28C669E9494B346C3B6D846CB71
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337053941.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d4d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7b82adc94788d94764c64a7565fdef968c53d8b7e7f7bf878ab2fe88a2b261a
                                                      • Instruction ID: 0d0ecbdcdcd576d934ae538d570ea460f0d81b2eef77d625eb36f0ce4bc679d8
                                                      • Opcode Fuzzy Hash: d7b82adc94788d94764c64a7565fdef968c53d8b7e7f7bf878ab2fe88a2b261a
                                                      • Instruction Fuzzy Hash: 842104B5508244DFDB14CF24D9C4B26BB66FB88314F28C9A9E9494B346C37AD847CB71
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337053941.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d4d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b2b7e956d8a0669ee4773b32a00d0b9742a3cc379469bf08a14138065183650
                                                      • Instruction ID: 4c04b236e79a5d5a26f12df6bfb36d11d4d88c2457410244502d6c254ab66d59
                                                      • Opcode Fuzzy Hash: 8b2b7e956d8a0669ee4773b32a00d0b9742a3cc379469bf08a14138065183650
                                                      • Instruction Fuzzy Hash: EF2162755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498B697C33AD84ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337013269.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d3d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                                                      • Instruction ID: 8509e17b08a818d358adcc3a6952c64279bcf27e126abb1c14fdf5e60d0b9298
                                                      • Opcode Fuzzy Hash: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                                                      • Instruction Fuzzy Hash: 3011D376904280CFCB12CF10E9C4B16BF72FB89324F28C6A9D8450B656C336D85ACFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337053941.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d4d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 160c55156eb95c146c39425625c3806d82299980a852a736bf6cea8fd3a176a8
                                                      • Instruction ID: 9900960ee4bb6f741ac60f8b8c7e4b526d6ca5fc63c107ddf348c12aa46a1abb
                                                      • Opcode Fuzzy Hash: 160c55156eb95c146c39425625c3806d82299980a852a736bf6cea8fd3a176a8
                                                      • Instruction Fuzzy Hash: CA118B75904280DFDB11CF10D5C4B15BBB2FB84324F28C6A9D8494B656C37AD85ACB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337013269.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d3d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f51c0197322723f9d01a63cdb5619254a621743e84ad608055439a24e0697da
                                                      • Instruction ID: 839abfd0284e683d67887fe408d9c852d39836c5e44f5c2fa00c0c4004ccd794
                                                      • Opcode Fuzzy Hash: 2f51c0197322723f9d01a63cdb5619254a621743e84ad608055439a24e0697da
                                                      • Instruction Fuzzy Hash: 620126B140C3809AE7105E25ED84B67BB99EF413B8F1CC51AEE065B286C379DC44CEB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337013269.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_d3d000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3260902facacff963aae63c220cb94b835ec33cf66f1cc63f331c2f8ef5f99c
                                                      • Instruction ID: 7bd0bdf2372ed042a08445ceb93e8b649f3ab36a69c5599bb239f29b228f4e21
                                                      • Opcode Fuzzy Hash: a3260902facacff963aae63c220cb94b835ec33cf66f1cc63f331c2f8ef5f99c
                                                      • Instruction Fuzzy Hash: 90F062714042849EE7108E15DC84B62FB98EF41774F18C45AED095B386C3799C44CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.337426476.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ef0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d7996b219a25f6c8bffdbed2db5bf91c3f70244210aeec453e15ce91cebf14a
                                                      • Instruction ID: 9f058c9f3be55c4d0d45b67f5831a49bf63dba2fac074ac1b1a5ed84696c58e4
                                                      • Opcode Fuzzy Hash: 1d7996b219a25f6c8bffdbed2db5bf91c3f70244210aeec453e15ce91cebf14a
                                                      • Instruction Fuzzy Hash: 66A15D32E0061D8FCF05DFA5C9449EDBBF2FF85304B2591AAE905BB261EB71A945CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:16.2%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:1.4%
                                                      Total number of Nodes:353
                                                      Total number of Limit Nodes:23
                                                      execution_graph 28991 165bd00 DuplicateHandle 28992 165bd96 28991->28992 28993 165fe40 SetWindowLongW 28994 165feac 28993->28994 29032 165b6d0 GetCurrentProcess 29033 165b743 29032->29033 29034 165b74a GetCurrentThread 29032->29034 29033->29034 29035 165b787 GetCurrentProcess 29034->29035 29036 165b780 29034->29036 29037 165b7bd 29035->29037 29036->29035 29038 165b7e5 GetCurrentThreadId 29037->29038 29039 165b816 29038->29039 28940 6760d60 28941 6760d6d 28940->28941 28942 6760d71 28940->28942 28946 6760f5e 28942->28946 28951 6760f78 28942->28951 28947 6760f6d 28946->28947 28956 165ee00 28947->28956 28961 165edef 28947->28961 28952 6760f80 28951->28952 28954 165ee00 2 API calls 28952->28954 28955 165edef 2 API calls 28952->28955 28953 6760d91 28954->28953 28955->28953 28957 165ee2a 28956->28957 28958 165eed1 28957->28958 28966 165fb98 28957->28966 28971 165fb20 28957->28971 28962 165ee00 28961->28962 28963 165eed1 28962->28963 28964 165fb20 CreateWindowExW 28962->28964 28965 165fb98 CreateWindowExW 28962->28965 28964->28963 28965->28963 28967 165fbae 28966->28967 28968 165fbe6 CreateWindowExW 28966->28968 28967->28958 28970 165fd1c 28968->28970 28973 165fb62 28971->28973 28972 165fb8a 28972->28958 28973->28972 28974 165fcbb CreateWindowExW 28973->28974 28975 165fd1c 28974->28975 28995 6762ad0 28996 6762ad9 28995->28996 29000 6762b20 28996->29000 29005 6762b10 28996->29005 28997 6762b0a 29001 6762b25 29000->29001 29010 6762b58 29001->29010 29015 6762b49 29001->29015 29002 6762b3c 29002->28997 29006 6762b20 29005->29006 29008 6762b58 DnsQuery_A 29006->29008 29009 6762b49 DnsQuery_A 29006->29009 29007 6762b3c 29007->28997 29008->29007 29009->29007 29012 6762b76 29010->29012 29011 6762b9e 29011->29002 29012->29011 29020 6762c60 29012->29020 29024 6762c51 29012->29024 29016 6762b76 29015->29016 29017 6762b9e 29016->29017 29018 6762c60 DnsQuery_A 29016->29018 29019 6762c51 DnsQuery_A 29016->29019 29017->29002 29018->29016 29019->29016 29021 6762c89 29020->29021 29028 67618ac 29021->29028 29025 6762c60 29024->29025 29026 67618ac DnsQuery_A 29025->29026 29027 6762cca 29026->29027 29027->29012 29029 6762ed8 29028->29029 29029->29029 29030 6762fbf DnsQuery_A 29029->29030 29031 6763012 29030->29031 28712 74b3940 28713 74b3972 28712->28713 28714 74b3969 28712->28714 28714->28713 28716 74b3abb 28714->28716 28717 74b3ab2 28716->28717 28720 74b3ad0 28717->28720 28721 74b3ad8 28720->28721 28722 74b3af1 28721->28722 28725 74b3b01 28721->28725 28730 74b2a20 28722->28730 28726 74b3aba 28725->28726 28744 74b2ae0 28725->28744 28726->28714 28731 74b2a34 28730->28731 28748 74b2ab0 28731->28748 28734 67607d9 28735 67607f8 28734->28735 28736 6760865 28735->28736 28912 6760ab8 28735->28912 28918 6760aa9 28735->28918 28736->28726 28739 67607e8 28740 67607f8 28739->28740 28741 6760865 28740->28741 28742 6760ab8 2 API calls 28740->28742 28743 6760aa9 2 API calls 28740->28743 28741->28726 28742->28741 28743->28741 28745 74b2af4 28744->28745 28746 74b2ab0 2 API calls 28745->28746 28747 74b2b58 28746->28747 28747->28726 28749 74b2abb 28748->28749 28752 74b21b0 28749->28752 28750 74b2a98 28750->28734 28750->28739 28753 74b21c3 28752->28753 28754 74b220c 28752->28754 28753->28750 28755 74b22ae 28754->28755 28759 67646d4 28754->28759 28766 67646f8 28754->28766 28773 67646e5 28754->28773 28755->28750 28762 67646d8 28759->28762 28760 6764722 28760->28755 28761 6764759 28762->28755 28762->28760 28762->28761 28780 67647f7 28762->28780 28784 6764808 28762->28784 28788 676495f 28762->28788 28767 6764722 28766->28767 28769 676472a 28766->28769 28767->28755 28768 6764759 28769->28768 28770 67647f7 2 API calls 28769->28770 28771 676495f 2 API calls 28769->28771 28772 6764808 2 API calls 28769->28772 28770->28768 28771->28768 28772->28768 28776 67646e6 28773->28776 28774 6764722 28774->28755 28775 6764759 28776->28774 28776->28775 28777 67647f7 2 API calls 28776->28777 28778 676495f 2 API calls 28776->28778 28779 6764808 2 API calls 28776->28779 28777->28775 28778->28775 28779->28775 28783 6764808 28780->28783 28781 6764957 28781->28761 28783->28781 28792 67636e0 28783->28792 28787 6764832 28784->28787 28785 6764957 28785->28761 28786 67636e0 2 API calls 28786->28785 28787->28785 28787->28786 28789 6764899 28788->28789 28790 6764957 28789->28790 28791 67636e0 2 API calls 28789->28791 28790->28761 28791->28790 28793 676370e 28792->28793 28797 676374d 28792->28797 28794 676373f 28793->28794 28795 6763752 28793->28795 28796 67637d5 28793->28796 28793->28797 28805 67639d0 28794->28805 28813 67639c0 28794->28813 28795->28797 28821 67649b8 28795->28821 28834 67649c8 28795->28834 28796->28797 28802 67647f7 2 API calls 28796->28802 28803 676495f 2 API calls 28796->28803 28804 6764808 2 API calls 28796->28804 28797->28781 28802->28797 28803->28797 28804->28797 28806 67639f8 28805->28806 28807 6763a68 28806->28807 28808 6763a72 28806->28808 28847 6763ab3 28806->28847 28856 6763ac0 28806->28856 28865 6764970 28807->28865 28869 6764980 28807->28869 28808->28797 28814 67639ce 28813->28814 28815 6763a68 28814->28815 28816 6763a72 28814->28816 28817 6763ab3 2 API calls 28814->28817 28818 6763ac0 2 API calls 28814->28818 28819 6764970 2 API calls 28815->28819 28820 6764980 2 API calls 28815->28820 28816->28797 28817->28815 28818->28815 28819->28816 28820->28816 28822 67649e9 28821->28822 28825 6764a9f 28821->28825 28824 67649f6 28822->28824 28826 6764aa4 28822->28826 28823 6764a56 28823->28825 28829 67649c8 2 API calls 28823->28829 28830 67649b8 2 API calls 28823->28830 28824->28823 28873 6764c18 28824->28873 28883 6764cc8 28824->28883 28902 6764c0b 28824->28902 28825->28797 28826->28825 28827 67649c8 2 API calls 28826->28827 28828 67649b8 2 API calls 28826->28828 28827->28825 28828->28825 28829->28825 28830->28825 28835 67649e9 28834->28835 28838 6764a9f 28834->28838 28837 67649f6 28835->28837 28839 6764aa4 28835->28839 28836 6764a56 28836->28838 28842 67649c8 2 API calls 28836->28842 28843 67649b8 2 API calls 28836->28843 28837->28836 28844 6764c0b 2 API calls 28837->28844 28845 6764c18 2 API calls 28837->28845 28846 6764cc8 2 API calls 28837->28846 28838->28797 28839->28838 28840 67649c8 2 API calls 28839->28840 28841 67649b8 2 API calls 28839->28841 28840->28838 28841->28838 28842->28838 28843->28838 28844->28836 28845->28836 28846->28836 28848 6763bd6 28847->28848 28850 6763ae4 28847->28850 28853 676e627 GetCurrentThreadId GetCurrentThreadId 28848->28853 28854 676e633 GetCurrentThreadId GetCurrentThreadId 28848->28854 28855 676e490 GetCurrentThreadId GetCurrentThreadId 28848->28855 28849 6763b9c 28849->28807 28851 6763c63 GetCurrentThreadId GetCurrentThreadId 28850->28851 28852 6763c70 GetCurrentThreadId GetCurrentThreadId 28850->28852 28851->28849 28852->28849 28853->28849 28854->28849 28855->28849 28857 6763bd6 28856->28857 28858 6763ae4 28856->28858 28862 676e627 GetCurrentThreadId GetCurrentThreadId 28857->28862 28863 676e633 GetCurrentThreadId GetCurrentThreadId 28857->28863 28864 676e490 GetCurrentThreadId GetCurrentThreadId 28857->28864 28860 6763c63 GetCurrentThreadId GetCurrentThreadId 28858->28860 28861 6763c70 GetCurrentThreadId GetCurrentThreadId 28858->28861 28859 6763b9c 28859->28807 28860->28859 28861->28859 28862->28859 28863->28859 28864->28859 28866 6764988 28865->28866 28867 67649b0 28866->28867 28868 67636e0 GetCurrentThreadId GetCurrentThreadId 28866->28868 28867->28808 28868->28867 28871 6764988 28869->28871 28870 67649b0 28870->28808 28871->28870 28872 67636e0 GetCurrentThreadId GetCurrentThreadId 28871->28872 28872->28870 28874 6764c38 28873->28874 28875 6764c72 28874->28875 28876 6764c74 28874->28876 28877 6764c58 28874->28877 28875->28823 28878 6764d30 GetCurrentThreadId GetCurrentThreadId 28876->28878 28879 6764cd8 GetCurrentThreadId GetCurrentThreadId 28876->28879 28880 6764cc8 GetCurrentThreadId GetCurrentThreadId 28876->28880 28881 676fe53 GetCurrentThreadId GetCurrentThreadId 28877->28881 28882 676fe70 GetCurrentThreadId GetCurrentThreadId 28877->28882 28878->28875 28879->28875 28880->28875 28881->28875 28882->28875 28884 6764c75 28883->28884 28885 6764cd3 28883->28885 28896 6764d30 GetCurrentThreadId GetCurrentThreadId 28884->28896 28897 6764cd8 GetCurrentThreadId GetCurrentThreadId 28884->28897 28898 6764cc8 GetCurrentThreadId GetCurrentThreadId 28884->28898 28886 6764cf4 28885->28886 28887 6764d01 28885->28887 28888 6764d0c 28885->28888 28889 6764ceb 28885->28889 28886->28823 28891 6765320 GetCurrentThreadId GetCurrentThreadId 28887->28891 28892 6764ef8 GetCurrentThreadId GetCurrentThreadId 28887->28892 28893 6764f08 GetCurrentThreadId GetCurrentThreadId 28887->28893 28888->28886 28894 67657e0 GetCurrentThreadId GetCurrentThreadId 28888->28894 28895 6765a49 GetCurrentThreadId GetCurrentThreadId 28888->28895 28899 6764dd3 GetCurrentThreadId GetCurrentThreadId 28889->28899 28900 6764d40 GetCurrentThreadId GetCurrentThreadId 28889->28900 28901 6764d30 GetCurrentThreadId GetCurrentThreadId 28889->28901 28890 6764c8e 28890->28823 28891->28886 28892->28886 28893->28886 28894->28886 28895->28886 28896->28890 28897->28890 28898->28890 28899->28886 28900->28886 28901->28886 28903 6764c15 28902->28903 28904 6764c72 28903->28904 28905 6764c74 28903->28905 28906 6764c58 28903->28906 28904->28823 28907 6764d30 GetCurrentThreadId GetCurrentThreadId 28905->28907 28908 6764cd8 GetCurrentThreadId GetCurrentThreadId 28905->28908 28909 6764cc8 GetCurrentThreadId GetCurrentThreadId 28905->28909 28910 676fe53 GetCurrentThreadId GetCurrentThreadId 28906->28910 28911 676fe70 GetCurrentThreadId GetCurrentThreadId 28906->28911 28907->28904 28908->28904 28909->28904 28910->28904 28911->28904 28913 6760b0f 28912->28913 28915 6760ac8 28912->28915 28924 6760b90 28913->28924 28928 6760b81 28913->28928 28914 6760b1c 28914->28736 28915->28736 28919 6760b0f 28918->28919 28921 6760ac8 28918->28921 28922 6760b90 GetCurrentThreadId 28919->28922 28923 6760b81 GetCurrentThreadId 28919->28923 28920 6760b1c 28920->28736 28921->28736 28922->28920 28923->28920 28925 6760be3 28924->28925 28926 6760c4f GetCurrentThreadId 28925->28926 28927 6760c1f 28925->28927 28926->28927 28929 6760be3 28928->28929 28930 6760c4f GetCurrentThreadId 28929->28930 28931 6760c1f 28929->28931 28930->28931 28931->28931 28932 74b66c0 28933 74b66de 28932->28933 28936 74b583c 28933->28936 28935 74b6715 28937 74b81e0 LoadLibraryA 28936->28937 28939 74b82bc 28937->28939 28976 74b22d0 28977 74b22e5 28976->28977 28982 74b23e8 28977->28982 28978 74b233d 28987 74b2180 28978->28987 28984 74b23fc 28982->28984 28983 74b2433 28983->28978 28984->28983 28985 74b2806 GetSystemTimes 28984->28985 28986 74b2843 28985->28986 28986->28978 28988 74b218b 28987->28988 28990 74b21b0 2 API calls 28988->28990 28989 74b2198 28990->28989 29040 1656758 29043 1656344 29040->29043 29042 1656766 29044 165634f 29043->29044 29047 1656394 29044->29047 29046 165688d 29046->29042 29048 165639f 29047->29048 29051 16563c4 29048->29051 29050 1656962 29050->29046 29052 16563cf 29051->29052 29055 16563f4 29052->29055 29054 1656a62 29054->29050 29056 16563ff 29055->29056 29058 165717e 29056->29058 29061 16592b9 29056->29061 29057 16571bc 29057->29054 29058->29057 29065 165b3f9 29058->29065 29070 16592e1 29061->29070 29073 16592f0 29061->29073 29062 16592ce 29062->29058 29066 165b429 29065->29066 29067 165b44d 29066->29067 29096 165b5b8 29066->29096 29100 165b5aa 29066->29100 29067->29057 29076 16593e8 29070->29076 29071 16592ff 29071->29062 29074 16592ff 29073->29074 29075 16593e8 2 API calls 29073->29075 29074->29062 29075->29074 29077 16593fb 29076->29077 29078 1659413 29077->29078 29084 1659660 29077->29084 29088 1659670 29077->29088 29078->29071 29079 1659610 GetModuleHandleW 29081 165963d 29079->29081 29080 165940b 29080->29078 29080->29079 29081->29071 29086 1659670 29084->29086 29085 16596a9 29085->29080 29086->29085 29092 1658768 29086->29092 29089 1659684 29088->29089 29090 1658768 LoadLibraryExW 29089->29090 29091 16596a9 29089->29091 29090->29091 29091->29080 29093 1659850 LoadLibraryExW 29092->29093 29095 16598c9 29093->29095 29095->29085 29098 165b5c5 29096->29098 29097 165b5ff 29097->29067 29098->29097 29104 165a0ec 29098->29104 29101 165b5b2 29100->29101 29102 165a0ec 7 API calls 29101->29102 29103 165b5ff 29101->29103 29102->29103 29103->29067 29105 165a0f7 29104->29105 29107 165c2f8 29105->29107 29108 165b904 29105->29108 29107->29107 29109 165b90f 29108->29109 29110 16563f4 7 API calls 29109->29110 29111 165c367 29110->29111 29120 165c3e0 29111->29120 29126 165c3d1 29111->29126 29112 165c375 29113 165b914 LoadLibraryExW GetModuleHandleW 29112->29113 29114 165c38f 29113->29114 29118 165e0f0 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 29114->29118 29119 165e0d8 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 29114->29119 29115 165c3a0 29115->29107 29118->29115 29119->29115 29121 165c40e 29120->29121 29123 165c437 29121->29123 29125 165c4df 29121->29125 29132 165b9a0 29121->29132 29124 165c4da KiUserCallbackDispatcher 29123->29124 29123->29125 29124->29125 29127 165c3e0 29126->29127 29128 165b9a0 GetFocus 29127->29128 29129 165c437 29127->29129 29131 165c4df 29127->29131 29128->29129 29130 165c4da KiUserCallbackDispatcher 29129->29130 29129->29131 29130->29131 29133 165b9ab 29132->29133 29134 165ba14 GetFocus 29133->29134 29135 165c9f5 29134->29135 29135->29123 29136 74b02f6 29137 74b0309 29136->29137 29139 74b2180 2 API calls 29137->29139 29138 74b0408 29139->29138

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 281 74b23e8-74b2431 call 74b23e8 286 74b244a-74b2492 call 74b23e8 281->286 287 74b2433-74b2448 281->287 293 74b249e-74b24aa 286->293 294 74b2494-74b249d 286->294 295 74b27a2-74b2841 GetSystemTimes 293->295 296 74b24b0-74b2778 293->296 300 74b284a-74b286b 295->300 301 74b2843-74b2849 295->301 296->295 301->300
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.559958767.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_74b0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29619a7b731e5e2b832256aaf393e1d3b5e6d77d841c9796330cd6d88ad3ad2e
                                                      • Instruction ID: fdbbb56c86fe8cf5ab55ddd4caaca24d299e92d305ac2e15eddd763c6ab15194
                                                      • Opcode Fuzzy Hash: 29619a7b731e5e2b832256aaf393e1d3b5e6d77d841c9796330cd6d88ad3ad2e
                                                      • Instruction Fuzzy Hash: 9151CC71D04219DFCB10DFA9D9856EEBBB4FF49310F10816AE954E7241DB309A09CBB2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f7551c4ba7839718fc69ed3616dab6d8b3a2a838a9e635b89ab4689b1797bf0
                                                      • Instruction ID: 2add90fba23b3dbd9602e06dcfd311244600a093333e09006446e1082b662e61
                                                      • Opcode Fuzzy Hash: 3f7551c4ba7839718fc69ed3616dab6d8b3a2a838a9e635b89ab4689b1797bf0
                                                      • Instruction Fuzzy Hash: 3051D1B8D01208DFDB14DFA8E995AADBBB2FB49300F10802AE911B7355DB386D45CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 948cd2af0d09f971408f6c11ef4295ea8c7509fb5a94f03cc3119c0489fe35dc
                                                      • Instruction ID: fee7cf5a03e2296951325be7ddcc5528d0effcf8a867a7e5364cbeec7ab1c472
                                                      • Opcode Fuzzy Hash: 948cd2af0d09f971408f6c11ef4295ea8c7509fb5a94f03cc3119c0489fe35dc
                                                      • Instruction Fuzzy Hash: 3501DF32D142548BCB14CFB6E4083FDBBB4FB8E311F14A02AE404B3680DB380885DB68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e9ed4fcff99c851c37607c51323e9162bd0136bcfae429a1e435cd85ff045a0d
                                                      • Instruction ID: 424863b47e4fe03db1c944542b31eaf5093a802582dd965eb7a4af48e9e539e7
                                                      • Opcode Fuzzy Hash: e9ed4fcff99c851c37607c51323e9162bd0136bcfae429a1e435cd85ff045a0d
                                                      • Instruction Fuzzy Hash: 09F08132D152148BCB149FA6E4087FDBBF8FB8E312F14902AE405B3250DB384844CB78
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0165B730
                                                      • GetCurrentThread.KERNEL32 ref: 0165B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 0165B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 0165B803
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: f5884d49c60d3d28b7098d1894a4a1ad55231c2cebe6e9a78cfea27a92aaa18e
                                                      • Instruction ID: f3d0e46d037e6dde68cb668aa7cc3fecee7721003d7be2eca64119be605ff4d0
                                                      • Opcode Fuzzy Hash: f5884d49c60d3d28b7098d1894a4a1ad55231c2cebe6e9a78cfea27a92aaa18e
                                                      • Instruction Fuzzy Hash: 3B5134B09047488FDB14CFA9D988BDEBBF1FF48314F24845AE419A7390DB745889CB65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0165B730
                                                      • GetCurrentThread.KERNEL32 ref: 0165B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 0165B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 0165B803
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 0a0450676be69658ed462c711744f33c3609230df26602c97cdabf313b5f7855
                                                      • Instruction ID: 92a02b8123bf8b5aa5406379d2a5ec8c873558f2e9fc3dfd1c87de0e399aebb0
                                                      • Opcode Fuzzy Hash: 0a0450676be69658ed462c711744f33c3609230df26602c97cdabf313b5f7855
                                                      • Instruction Fuzzy Hash: 665144B09047488FDB14CFA9D948BEEBBF1BF48314F24845AE419A7390CB745888CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 155 6762e20-6762e3c 156 6762e52-6762eb3 155->156 157 6762e3e-6762e4f 155->157 166 6762e90-6762ebf 156->166 167 6762ec1-6762f4b 156->167 174 6762f84-6762fb7 167->174 175 6762f4d-6762f57 167->175 184 6762fbf-6763010 DnsQuery_A 174->184 175->174 177 6762f59-6762f5b 175->177 178 6762f7e-6762f81 177->178 179 6762f5d-6762f67 177->179 178->174 181 6762f6b-6762f7a 179->181 182 6762f69 179->182 181->181 183 6762f7c 181->183 182->181 183->178 185 6763012-6763018 184->185 186 6763019-6763066 184->186 185->186 191 6763076-676307a 186->191 192 6763068-676306c 186->192 194 676307c-676307f 191->194 195 6763089-676308d 191->195 192->191 193 676306e 192->193 193->191 194->195 196 676309e 195->196 197 676308f-676309b 195->197 199 676309f 196->199 197->196 199->199
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a637a2f5c55949b810a167dc178022ceb3c205e99e56440b0e2e91d8568053b0
                                                      • Instruction ID: e85bebb21b0f6155506e48c1cd66940de05ff13f4f040ea477816c191c7916de
                                                      • Opcode Fuzzy Hash: a637a2f5c55949b810a167dc178022ceb3c205e99e56440b0e2e91d8568053b0
                                                      • Instruction Fuzzy Hash: E3816771D04219CFDB50CFAAC8806EEBBB1FF48314F10852AE815BB211DB709989CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 200 16593e8-16593fd call 1658704 203 1659413-1659417 200->203 204 16593ff 200->204 205 1659419-1659423 203->205 206 165942b-165946c 203->206 254 1659405 call 1659660 204->254 255 1659405 call 1659670 204->255 205->206 211 165946e-1659476 206->211 212 1659479-1659487 206->212 207 165940b-165940d 207->203 210 1659548-1659608 207->210 249 1659610-165963b GetModuleHandleW 210->249 250 165960a-165960d 210->250 211->212 214 1659489-165948e 212->214 215 16594ab-16594ad 212->215 216 1659490-1659497 call 1658710 214->216 217 1659499 214->217 218 16594b0-16594b7 215->218 223 165949b-16594a9 216->223 217->223 219 16594c4-16594cb 218->219 220 16594b9-16594c1 218->220 224 16594cd-16594d5 219->224 225 16594d8-16594e1 call 1658720 219->225 220->219 223->218 224->225 230 16594e3-16594eb 225->230 231 16594ee-16594f3 225->231 230->231 233 16594f5-16594fc 231->233 234 1659511-1659515 231->234 233->234 235 16594fe-165950e call 1658730 call 1658740 233->235 256 1659518 call 1659968 234->256 257 1659518 call 1659958 234->257 235->234 237 165951b-165951e 239 1659541-1659547 237->239 240 1659520-165953e 237->240 240->239 251 1659644-1659658 249->251 252 165963d-1659643 249->252 250->249 252->251 254->207 255->207 256->237 257->237
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0165962E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 734bf7de10c715208ac1db9f4a2b0f368940b96c43be75306b8da135ddaf2abb
                                                      • Instruction ID: 52cec2b2ba6928594f380fe8c7f96680afb41fe99bd7f768b027b2e84bfa4ec0
                                                      • Opcode Fuzzy Hash: 734bf7de10c715208ac1db9f4a2b0f368940b96c43be75306b8da135ddaf2abb
                                                      • Instruction Fuzzy Hash: E7711370A00B058FD764CF2AC84475ABBF5BB88318F00892ED98AD7B40DB34E859CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 258 165fb20-165fb60 259 165fbc4-165fbd6 258->259 260 165fb62-165fb88 258->260 263 165fbe0 259->263 264 165fbd8 call 165da04 259->264 261 165fbec-165fc5e 260->261 262 165fb8a-165fb93 260->262 268 165fc60-165fc66 261->268 269 165fc69-165fc70 261->269 263->261 267 165fbdd-165fbde 264->267 268->269 270 165fc72-165fc78 269->270 271 165fc7b-165fd1a CreateWindowExW 269->271 270->271 273 165fd23-165fd5b 271->273 274 165fd1c-165fd22 271->274 278 165fd5d-165fd60 273->278 279 165fd68 273->279 274->273 278->279 280 165fd69 279->280 280->280
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0165FD0A
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: deaa67c758faafc6084dfec37454bf0d226341c5f49598d1295131cadb370516
                                                      • Instruction ID: b75348991855d2b959d74a9209220318ceadf0ce08291c5ae09cd01b2d8810e6
                                                      • Opcode Fuzzy Hash: deaa67c758faafc6084dfec37454bf0d226341c5f49598d1295131cadb370516
                                                      • Instruction Fuzzy Hash: A36139B1C053499FDB15CFA9C880ACEBFB5FF89310F19819AE814AB252D7749845CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 305 165fb98-165fbac 306 165fbe6-165fc5e 305->306 307 165fbae-165fbd5 305->307 312 165fc60-165fc66 306->312 313 165fc69-165fc70 306->313 308 165fbdd-165fbde 307->308 309 165fbd8 call 165da04 307->309 309->308 312->313 314 165fc72-165fc78 313->314 315 165fc7b-165fd1a CreateWindowExW 313->315 314->315 317 165fd23-165fd5b 315->317 318 165fd1c-165fd22 315->318 322 165fd5d-165fd60 317->322 323 165fd68 317->323 318->317 322->323 324 165fd69 323->324 324->324
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0165FD0A
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 2ffcd4ce1b17db54751c0d422fd56711f162cb24c768ca2c0051d60e7c4d0749
                                                      • Instruction ID: 208940b87cde258491408afd63f9434d6c3d22bc4f0e0c3a3a3e4d76c9c50bac
                                                      • Opcode Fuzzy Hash: 2ffcd4ce1b17db54751c0d422fd56711f162cb24c768ca2c0051d60e7c4d0749
                                                      • Instruction Fuzzy Hash: 805101B1C04249AFDF15CFA9C980ADEBFB2FF48314F19816AE918AB221D7719855CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 325 67618ac-6762f4b 328 6762f84-6763010 DnsQuery_A 325->328 329 6762f4d-6762f57 325->329 338 6763012-6763018 328->338 339 6763019-6763066 328->339 329->328 330 6762f59-6762f5b 329->330 331 6762f7e-6762f81 330->331 332 6762f5d-6762f67 330->332 331->328 334 6762f6b-6762f7a 332->334 335 6762f69 332->335 334->334 336 6762f7c 334->336 335->334 336->331 338->339 344 6763076-676307a 339->344 345 6763068-676306c 339->345 347 676307c-676307f 344->347 348 6763089-676308d 344->348 345->344 346 676306e 345->346 346->344 347->348 349 676309e 348->349 350 676308f-676309b 348->350 352 676309f 349->352 350->349 352->352
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06763000
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: 9f42c2e6ee562321d473d06bffee5734f73284f1655058931d5ea894fe6f1d49
                                                      • Instruction ID: 221e656dcb30e07eeb652d1cb5140db9d58c5ce95d653e5ed450a63e674ed826
                                                      • Opcode Fuzzy Hash: 9f42c2e6ee562321d473d06bffee5734f73284f1655058931d5ea894fe6f1d49
                                                      • Instruction Fuzzy Hash: E1512471D102589FDB50CFAAC8806DEBBB5FF48314F14852AE815BB250DB709989CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 353 6762ecc-6762f4b 356 6762f84-6762fb7 353->356 357 6762f4d-6762f57 353->357 365 6762fbf-6763010 DnsQuery_A 356->365 357->356 358 6762f59-6762f5b 357->358 359 6762f7e-6762f81 358->359 360 6762f5d-6762f67 358->360 359->356 362 6762f6b-6762f7a 360->362 363 6762f69 360->363 362->362 364 6762f7c 362->364 363->362 364->359 366 6763012-6763018 365->366 367 6763019-6763066 365->367 366->367 372 6763076-676307a 367->372 373 6763068-676306c 367->373 375 676307c-676307f 372->375 376 6763089-676308d 372->376 373->372 374 676306e 373->374 374->372 375->376 377 676309e 376->377 378 676308f-676309b 376->378 380 676309f 377->380 378->377 380->380
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06763000
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: 1c34d01b8eff2994a1a1deaaef62b654759ee9008ee4e482ffbdfbe7e307240a
                                                      • Instruction ID: 2853397e0341ef74245f73afa10b2b3aaec3fcc6fd52de76ca5442ddfc2f8fc4
                                                      • Opcode Fuzzy Hash: 1c34d01b8eff2994a1a1deaaef62b654759ee9008ee4e482ffbdfbe7e307240a
                                                      • Instruction Fuzzy Hash: 375134B1D102588FDB50CFA9C9806EEBBB1FF48314F24852AE815BB250DB749989CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 381 165fbf8-165fc5e 382 165fc60-165fc66 381->382 383 165fc69-165fc70 381->383 382->383 384 165fc72-165fc78 383->384 385 165fc7b-165fcb3 383->385 384->385 386 165fcbb-165fd1a CreateWindowExW 385->386 387 165fd23-165fd5b 386->387 388 165fd1c-165fd22 386->388 392 165fd5d-165fd60 387->392 393 165fd68 387->393 388->387 392->393 394 165fd69 393->394 394->394
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0165FD0A
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 23cbb28f3352871ca7e7bb51cfffa0a9714822f442e6dd565dc29b9ebdfb2e6e
                                                      • Instruction ID: f850ba42d1b821c92cdafa42cd1322771fa13079b9a1129988740f93a71d168a
                                                      • Opcode Fuzzy Hash: 23cbb28f3352871ca7e7bb51cfffa0a9714822f442e6dd565dc29b9ebdfb2e6e
                                                      • Instruction Fuzzy Hash: 4F4190B1D10309DFDB14CF99C984ADEBBB5FF88314F24862AE819AB210D7759985CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 395 6760b90-6760bfc 399 6760bfe-6760c07 395->399 400 6760c09-6760c1d 395->400 403 6760c45-6760c47 399->403 405 6760c1f-6760c37 400->405 406 6760c39-6760c43 400->406 407 6760c4f-6760c7d GetCurrentThreadId 403->407 408 6760cad-6760cb1 405->408 406->403 409 6760c86-6760cab 407->409 410 6760c7f-6760c85 407->410 412 6760cb3 408->412 413 6760cbc 408->413 409->408 410->409 412->413 415 6760cbd 413->415 415->415
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 06760C69
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: CurrentThread
                                                      • String ID:
                                                      • API String ID: 2882836952-0
                                                      • Opcode ID: 13d872c87154057bd0f97c2f63baccad3aea46351681dde2e74abcdd5111733b
                                                      • Instruction ID: 21a3094da00c739b71e78ae237624d23124a7a4fc973292ca127c7e259a41085
                                                      • Opcode Fuzzy Hash: 13d872c87154057bd0f97c2f63baccad3aea46351681dde2e74abcdd5111733b
                                                      • Instruction Fuzzy Hash: F6314871E102189FDB64DFA9C588BEDBBF5BF48610F14812AE806A7390CB749845CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.559958767.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_74b0000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 7a44744f65beb475c9b73ed5bd9e15f0aa509e897c8007e9f2047ebf114bc4b5
                                                      • Instruction ID: 15afcddc451d874d7d89a325fb67ec41c7750d7cc2ffb65e45c00d8afd261747
                                                      • Opcode Fuzzy Hash: 7a44744f65beb475c9b73ed5bd9e15f0aa509e897c8007e9f2047ebf114bc4b5
                                                      • Instruction Fuzzy Hash: 9E3144B0D10649CFCB28CFA9C8857DEBBF9BB48314F14852AE815A7340D7749885CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 06760C69
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.558653945.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_6760000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: CurrentThread
                                                      • String ID:
                                                      • API String ID: 2882836952-0
                                                      • Opcode ID: 22f0c8227fd9e7c9e2cd532a52cbe258bf855957bd5c96c7aeaa091313e45056
                                                      • Instruction ID: 5be3422d368028d7f5fbf328c5baf0bd17f9085c1c366248d74628c1032cc490
                                                      • Opcode Fuzzy Hash: 22f0c8227fd9e7c9e2cd532a52cbe258bf855957bd5c96c7aeaa091313e45056
                                                      • Instruction Fuzzy Hash: DF317871E102189FCB64CFA9D488BEDBBF5BB48310F14852EE806A7381CB745849CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0165BD87
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 6415fbbe0208ce2a1fdb522a2b520ce078de57f3288f67ce3ef58f47302793c1
                                                      • Instruction ID: d0c19311dde6267a4bb4ab52f25618acd222dbd1e0811d10128bee9a73dbfb87
                                                      • Opcode Fuzzy Hash: 6415fbbe0208ce2a1fdb522a2b520ce078de57f3288f67ce3ef58f47302793c1
                                                      • Instruction Fuzzy Hash: 1B21E3B6D00248DFDB10CFA9D984AEEBBF5FB48324F14841AE954A7310C374A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0165BD87
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: ef8fb16fbc230d3cddbe6f1eebce537822377a8ef822a9d1985dedbe548b7fae
                                                      • Instruction ID: fcc67b0411a26e16de902aa19978463e5a3e3ff1c229d726d151e43bd68f43ab
                                                      • Opcode Fuzzy Hash: ef8fb16fbc230d3cddbe6f1eebce537822377a8ef822a9d1985dedbe548b7fae
                                                      • Instruction Fuzzy Hash: D821C2B5D00249DFDB10CFAAD984ADEBBF9FB48324F14841AE954A3310D378A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,016596A9,00000800,00000000,00000000), ref: 016598BA
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 3e5cf3039eeb7c6073ef829bd0840ed5e110258dd24ffab0845814bc60deb17d
                                                      • Instruction ID: bc7150c20cb36524d56e3f2be7a7abddd045ce205898c62d051b82dde37ea0ae
                                                      • Opcode Fuzzy Hash: 3e5cf3039eeb7c6073ef829bd0840ed5e110258dd24ffab0845814bc60deb17d
                                                      • Instruction Fuzzy Hash: 681103B6D04249DFDB10CF9AC844ADEBBF4EB88324F05842EE915A7700C375A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,016596A9,00000800,00000000,00000000), ref: 016598BA
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: a540e21f67e0f1476acc1926a639632e60a591a0cd539a9da38e91f48e9f7614
                                                      • Instruction ID: 6bf0818ac5ee782ef2e05afd9f236a4b5618982eb7132eb9f616a826507e22e2
                                                      • Opcode Fuzzy Hash: a540e21f67e0f1476acc1926a639632e60a591a0cd539a9da38e91f48e9f7614
                                                      • Instruction Fuzzy Hash: 6A1103B6D00209DFDB10CF9AC844ADEBBF4EB88324F15842AE915A7700C379A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0165962E
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 98b6b8fd6aac1f41c6e58e9ca8f93e5d87af1ffefbf1e6ae82efddbe19bf9933
                                                      • Instruction ID: 22e4ccd05df0afa1c80c15f83ca68ba8646cb99b16391e0f3f57631ec8dc5f11
                                                      • Opcode Fuzzy Hash: 98b6b8fd6aac1f41c6e58e9ca8f93e5d87af1ffefbf1e6ae82efddbe19bf9933
                                                      • Instruction Fuzzy Hash: BC11DFB5D00659CFDB10CF9AC844ADEFBF4AB88324F14841AD969A7600D375A54ACFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 0165FE9D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: 50ab8896ea92ad438d43f29d0687cea4b5b050e68f822e471637a82cf16e3496
                                                      • Instruction ID: 838e93ecd6a7fc9235cdc73c1d2f56afb4c12e1dcdb9688b077f899d005b3af7
                                                      • Opcode Fuzzy Hash: 50ab8896ea92ad438d43f29d0687cea4b5b050e68f822e471637a82cf16e3496
                                                      • Instruction Fuzzy Hash: CF11F2B58002499FDB10CF99D989BDFBBF8EB88324F14845AE958B3700C374A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 0165FE9D
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.552494399.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_1650000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: db952451c47f2f9d155c68e25d826f95ddeafe78ddb5f8b0a422a53c5da771a7
                                                      • Instruction ID: 3b46eb6be2908cc4493c045a816ed58f5ab8d1485bcc269cbda0159d0096f17d
                                                      • Opcode Fuzzy Hash: db952451c47f2f9d155c68e25d826f95ddeafe78ddb5f8b0a422a53c5da771a7
                                                      • Instruction Fuzzy Hash: E01100B58002499FDB10CF99D988BDFBBF8EB88324F10845AE954A3700C374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.550803097.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_13dd000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ecf069b9f18e7ed4031945bb00772905792f19a242e0954fa74e0ee934979271
                                                      • Instruction ID: 4fb98b709367e647389b4145b490e7859d71cdf85984d103e491e81ad2c1c0da
                                                      • Opcode Fuzzy Hash: ecf069b9f18e7ed4031945bb00772905792f19a242e0954fa74e0ee934979271
                                                      • Instruction Fuzzy Hash: E12145B2504244DFDB01CF94E9C0BA6BF75FB88328F24C568E9095B687C736E856C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.550803097.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_13dd000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ef5e271c0c22e16d26676cd3497a431353b0521b306bb9b7f7662596802df91
                                                      • Instruction ID: f1be91ba4ed862108e7b530a805b29d4db4be866191aa698c72d39bf0ef62c15
                                                      • Opcode Fuzzy Hash: 9ef5e271c0c22e16d26676cd3497a431353b0521b306bb9b7f7662596802df91
                                                      • Instruction Fuzzy Hash: 9E213AB2904244DFDB01CF94E9C0F66BF66FB8832CF248569E9054B287C336D855C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.550925093.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_13ed000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6144832389a63775e380c09873428bda7036b850fee4ce6610b9bca70c944388
                                                      • Instruction ID: 5b159a47cbc34b571db3ff0feb49d63f657e53051c5db98646ec067f39a000bd
                                                      • Opcode Fuzzy Hash: 6144832389a63775e380c09873428bda7036b850fee4ce6610b9bca70c944388
                                                      • Instruction Fuzzy Hash: 5D2122B1508344DFDB11CF64D9C8B26BFA5FB88358F28C969D90A4B786C336DC46CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.550803097.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_13dd000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                                                      • Instruction ID: 63dd41f6642ea1eddfd0720a479e23ea26b33e81b8d3caba96dea94d714beb3b
                                                      • Opcode Fuzzy Hash: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                                                      • Instruction Fuzzy Hash: 2C11D376804280DFDB12CF54E5C4B56BF71FB84324F24C6A9D8451B657C336E45ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.550803097.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_13dd000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                                                      • Instruction ID: c16fec537dd35e19360257a637d295aa76e017c4dbdbf8c2b2baa3bd1941a1f6
                                                      • Opcode Fuzzy Hash: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                                                      • Instruction Fuzzy Hash: 5211B176804280DFDB12CF54E9C4B56BF72FB84328F2486A9D9050B657C336D45ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.550925093.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_13ed000_INQUIRY.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 160c55156eb95c146c39425625c3806d82299980a852a736bf6cea8fd3a176a8
                                                      • Instruction ID: 1f231ebbc0c35b18c3e3e5b09dc3354598e855b5e0718c21a65fbd74c4d15854
                                                      • Opcode Fuzzy Hash: 160c55156eb95c146c39425625c3806d82299980a852a736bf6cea8fd3a176a8
                                                      • Instruction Fuzzy Hash: 1A11BE75504380CFDB12CF54D5C4B15BFA1FB44318F28C6A9D8094B696C33AD84ACB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%