Edit tour

Windows Analysis Report
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Overview

General Information

Sample Name:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Analysis ID:	798399
MD5:	8c4f47a96a1f9f58ab28a2353627c153
SHA1:	4e7e9f7c7d630e2406fe76ad1576d35a773e9e06
SHA256:	e1cfeeaabcfa9339523fae340820f04895c7a8332b806fd4e813343516928dde
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

PE file has nameless sections

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

PE file contains section with special chars

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe (PID: 4864 cmdline: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe MD5: 8C4F47A96A1F9F58AB28A2353627C153)

HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe (PID: 5368 cmdline: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe MD5: 8C4F47A96A1F9F58AB28A2353627C153)

dhcpmon.exe (PID: 5240 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 8C4F47A96A1F9F58AB28A2353627C153)

dhcpmon.exe (PID: 5168 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 8C4F47A96A1F9F58AB28A2353627C153)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b210040d-15e5-44d6-9102-34199926", "Group": "Default", "Domain1": "servicepoint.duckdns.org", "Domain2": "", "Port": 6755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4d495:$name: ConfuserEx 0x4cecb:$compile: AssemblyTitle

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4d495:$name: ConfuserEx 0x4cecb:$compile: AssemblyTitle

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3e2ed:$x1: NanoCore.ClientPluginHost 0x6666d:$x1: NanoCore.ClientPluginHost 0x3e32a:$x2: IClientNetworkHost 0x666aa:$x2: IClientNetworkHost 0x41e5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6a1dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3e055:$a: NanoCore 0x3e065:$a: NanoCore 0x3e299:$a: NanoCore 0x3e2ad:$a: NanoCore 0x3e2ed:$a: NanoCore 0x663d5:$a: NanoCore 0x663e5:$a: NanoCore 0x66619:$a: NanoCore 0x6662d:$a: NanoCore 0x6666d:$a: NanoCore 0x3e0b4:$b: ClientPlugin 0x3e2b6:$b: ClientPlugin 0x3e2f6:$b: ClientPlugin 0x66434:$b: ClientPlugin 0x66636:$b: ClientPlugin 0x66676:$b: ClientPlugin 0x3e1db:$c: ProjectData 0x6655b:$c: ProjectData 0x3ebe2:$d: DESCrypto 0x66f62:$d: DESCrypto 0x465ae:$e: KeepAlive
00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3e2ed:$a1: NanoCore.ClientPluginHost 0x6666d:$a1: NanoCore.ClientPluginHost 0x3e2ad:$a2: NanoCore.ClientPlugin 0x6662d:$a2: NanoCore.ClientPlugin 0x40206:$b1: get_BuilderSettings 0x68586:$b1: get_BuilderSettings 0x3e109:$b2: ClientLoaderForm.resources 0x66489:$b2: ClientLoaderForm.resources 0x3f926:$b3: PluginCommand 0x67ca6:$b3: PluginCommand 0x3e2de:$b4: IClientAppHost 0x6665e:$b4: IClientAppHost 0x4875e:$b5: GetBlockHash 0x70ade:$b5: GetBlockHash 0x4085e:$b6: AddHostEntry 0x68bde:$b6: AddHostEntry 0x44551:$b7: LogClientException 0x6c8d1:$b7: LogClientException 0x407cb:$b8: PipeExists 0x68b4b:$b8: PipeExists 0x3e317:$b9: IClientLoggingHost
00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35756:$a: NanoCore 0x3577b:$a: NanoCore 0x357d4:$a: NanoCore 0x4597f:$a: NanoCore 0x459a5:$a: NanoCore 0x45a01:$a: NanoCore 0x5285f:$a: NanoCore 0x528b8:$a: NanoCore 0x528eb:$a: NanoCore 0x52b17:$a: NanoCore 0x52b93:$a: NanoCore 0x531ac:$a: NanoCore 0x532f5:$a: NanoCore 0x537c9:$a: NanoCore 0x53ab0:$a: NanoCore 0x53ac7:$a: NanoCore 0x5c96f:$a: NanoCore 0x5c9eb:$a: NanoCore 0x5f2ce:$a: NanoCore 0x6489d:$a: NanoCore 0x64917:$a: NanoCore
00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3577b:$a1: NanoCore.ClientPluginHost 0x459a5:$a1: NanoCore.ClientPluginHost 0x52b17:$a1: NanoCore.ClientPluginHost 0x5c96f:$a1: NanoCore.ClientPluginHost 0x6489d:$a1: NanoCore.ClientPluginHost 0x6a878:$a1: NanoCore.ClientPluginHost 0x742eb:$a1: NanoCore.ClientPluginHost 0x7c39e:$a1: NanoCore.ClientPluginHost 0x84177:$a1: NanoCore.ClientPluginHost 0x8f161:$a1: NanoCore.ClientPluginHost 0x9af0f:$a1: NanoCore.ClientPluginHost 0xa6c62:$a1: NanoCore.ClientPluginHost 0x35756:$a2: NanoCore.ClientPlugin 0x4597f:$a2: NanoCore.ClientPlugin 0x52b93:$a2: NanoCore.ClientPlugin 0x5c9eb:$a2: NanoCore.ClientPlugin 0x64917:$a2: NanoCore.ClientPlugin 0x6a8c2:$a2: NanoCore.ClientPlugin 0x743d5:$a2: NanoCore.ClientPlugin 0x7c3e8:$a2: NanoCore.ClientPlugin 0x84217:$a2: NanoCore.ClientPlugin
00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11621:$a1: NanoCore.ClientPluginHost 0x115e4:$a2: NanoCore.ClientPlugin 0x119b8:$b1: get_BuilderSettings 0x1166f:$b4: IClientAppHost 0x11a29:$b6: AddHostEntry 0x11a98:$b7: LogClientException 0x11a0d:$b8: PipeExists 0x1165c:$b9: IClientLoggingHost
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x109e5:$x1: NanoCore.ClientPluginHost 0x46135:$x1: NanoCore.ClientPluginHost 0x10a22:$x2: IClientNetworkHost 0x46172:$x2: IClientNetworkHost 0x14555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x49ca5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1074d:$a: NanoCore 0x1075d:$a: NanoCore 0x10991:$a: NanoCore 0x109a5:$a: NanoCore 0x109e5:$a: NanoCore 0x45e9d:$a: NanoCore 0x45ead:$a: NanoCore 0x460e1:$a: NanoCore 0x460f5:$a: NanoCore 0x46135:$a: NanoCore 0x107ac:$b: ClientPlugin 0x109ae:$b: ClientPlugin 0x109ee:$b: ClientPlugin 0x45efc:$b: ClientPlugin 0x460fe:$b: ClientPlugin 0x4613e:$b: ClientPlugin 0x108d3:$c: ProjectData 0x46023:$c: ProjectData 0x112da:$d: DESCrypto 0x46a2a:$d: DESCrypto 0x18ca6:$e: KeepAlive
00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x109e5:$a1: NanoCore.ClientPluginHost 0x46135:$a1: NanoCore.ClientPluginHost 0x109a5:$a2: NanoCore.ClientPlugin 0x460f5:$a2: NanoCore.ClientPlugin 0x128fe:$b1: get_BuilderSettings 0x4804e:$b1: get_BuilderSettings 0x10801:$b2: ClientLoaderForm.resources 0x45f51:$b2: ClientLoaderForm.resources 0x1201e:$b3: PluginCommand 0x4776e:$b3: PluginCommand 0x109d6:$b4: IClientAppHost 0x46126:$b4: IClientAppHost 0x1ae56:$b5: GetBlockHash 0x505a6:$b5: GetBlockHash 0x12f56:$b6: AddHostEntry 0x486a6:$b6: AddHostEntry 0x16c49:$b7: LogClientException 0x4c399:$b7: LogClientException 0x12ec3:$b8: PipeExists 0x48613:$b8: PipeExists 0x10a0f:$b9: IClientLoggingHost
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10d45:$x1: NanoCore.ClientPluginHost 0x10d82:$x2: IClientNetworkHost 0x148b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10aad:$a: NanoCore 0x10abd:$a: NanoCore 0x10cf1:$a: NanoCore 0x10d05:$a: NanoCore 0x10d45:$a: NanoCore 0x10b0c:$b: ClientPlugin 0x10d0e:$b: ClientPlugin 0x10d4e:$b: ClientPlugin 0x10c33:$c: ProjectData 0x1163a:$d: DESCrypto 0x19006:$e: KeepAlive 0x16ff4:$g: LogClientMessage 0x131ef:$i: get_Connected 0x11970:$j: #=q 0x119a0:$j: #=q 0x119bc:$j: #=q 0x119ec:$j: #=q 0x11a08:$j: #=q 0x11a24:$j: #=q 0x11a54:$j: #=q 0x11a70:$j: #=q
00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10d45:$a1: NanoCore.ClientPluginHost 0x10d05:$a2: NanoCore.ClientPlugin 0x12c5e:$b1: get_BuilderSettings 0x10b61:$b2: ClientLoaderForm.resources 0x1237e:$b3: PluginCommand 0x10d36:$b4: IClientAppHost 0x1b1b6:$b5: GetBlockHash 0x132b6:$b6: AddHostEntry 0x16fa9:$b7: LogClientException 0x13223:$b8: PipeExists 0x10d6f:$b9: IClientLoggingHost
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4816:$x1: NanoCore.ClientPluginHost 0x2d061:$x1: NanoCore.ClientPluginHost 0x59b14:$x1: NanoCore.ClientPluginHost 0x4853:$x2: IClientNetworkHost 0x2d09e:$x2: IClientNetworkHost 0x59b51:$x2: IClientNetworkHost 0x8344:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x133ca:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e806:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x30b8f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bc15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x48294:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5d642:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x686c8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x44e3:$a: NanoCore 0x44f3:$a: NanoCore 0x45b2:$a: NanoCore 0x45c1:$a: NanoCore 0x47c2:$a: NanoCore 0x47d6:$a: NanoCore 0x4816:$a: NanoCore 0xfa34:$a: NanoCore 0xfa46:$a: NanoCore 0xfa82:$a: NanoCore 0x1ae70:$a: NanoCore 0x1ae82:$a: NanoCore 0x1aebe:$a: NanoCore 0x2cd2e:$a: NanoCore 0x2cd3e:$a: NanoCore 0x2cdfd:$a: NanoCore 0x2ce0c:$a: NanoCore 0x2d00d:$a: NanoCore 0x2d021:$a: NanoCore 0x2d061:$a: NanoCore 0x3827f:$a: NanoCore
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4816:$a1: NanoCore.ClientPluginHost 0x2d061:$a1: NanoCore.ClientPluginHost 0x59b14:$a1: NanoCore.ClientPluginHost 0x47d6:$a2: NanoCore.ClientPlugin 0x2d021:$a2: NanoCore.ClientPlugin 0x59ad4:$a2: NanoCore.ClientPlugin 0x66ed:$b1: get_BuilderSettings 0x2ef38:$b1: get_BuilderSettings 0x5b9eb:$b1: get_BuilderSettings 0x4597:$b2: ClientLoaderForm.resources 0x2cde2:$b2: ClientLoaderForm.resources 0x59895:$b2: ClientLoaderForm.resources 0x5e0d:$b3: PluginCommand 0x2e658:$b3: PluginCommand 0x5b10b:$b3: PluginCommand 0x4807:$b4: IClientAppHost 0x2d052:$b4: IClientAppHost 0x59b05:$b4: IClientAppHost 0xec40:$b5: GetBlockHash 0x3748b:$b5: GetBlockHash 0x63f3e:$b5: GetBlockHash
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x163be:$x1: NanoCore.ClientPluginHost 0x9b0af:$x1: NanoCore.ClientPluginHost 0x1228b2:$x1: NanoCore.ClientPluginHost 0x163e8:$x2: IClientNetworkHost 0x9b0c9:$x2: IClientNetworkHost 0x1228ef:$x2: IClientNetworkHost 0x1263e0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x131466:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1535f:$a: NanoCore 0x16399:$a: NanoCore 0x163be:$a: NanoCore 0x16417:$a: NanoCore 0x19eab:$a: NanoCore 0x19ece:$a: NanoCore 0x19f23:$a: NanoCore 0x24fc2:$a: NanoCore 0x24fe6:$a: NanoCore 0x2503e:$a: NanoCore 0x2c4b6:$a: NanoCore 0x2c50f:$a: NanoCore 0x2c535:$a: NanoCore 0x2c8cb:$a: NanoCore 0x2c90f:$a: NanoCore 0x2c952:$a: NanoCore 0x2c9a5:$a: NanoCore 0x2c9d4:$a: NanoCore 0x2cbda:$a: NanoCore 0x2cc4e:$a: NanoCore 0x2d205:$a: NanoCore
Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x163be:$a1: NanoCore.ClientPluginHost 0x9b0af:$a1: NanoCore.ClientPluginHost 0x1228b2:$a1: NanoCore.ClientPluginHost 0x16399:$a2: NanoCore.ClientPlugin 0x9b072:$a2: NanoCore.ClientPlugin 0x122872:$a2: NanoCore.ClientPlugin 0x19cf9:$b1: get_BuilderSettings 0x9b415:$b1: get_BuilderSettings 0x124789:$b1: get_BuilderSettings 0x122633:$b2: ClientLoaderForm.resources 0x123ea9:$b3: PluginCommand 0x163af:$b4: IClientAppHost 0x9b0fd:$b4: IClientAppHost 0x1228a3:$b4: IClientAppHost 0x12ccdc:$b5: GetBlockHash 0x9b486:$b6: AddHostEntry 0x124de1:$b6: AddHostEntry 0x12ff00:$b6: AddHostEntry 0x2e03d:$b7: LogClientException 0x9b4f5:$b7: LogClientException 0x128ad4:$b7: LogClientException
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x3850d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x3854a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3c07d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x38285:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x3850d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x39b46:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x39b3a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a9eb:$s3: PipeExists 0x18422:$s4: PipeCreated 0x407a2:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x38537:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x38275:$x1: NanoCore Client 0x38285:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x384cd:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x3850d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x384c2:$i1: IClientApp 0x10163:$i2: IClientData 0x384e3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x384ef:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x384fe:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x38527:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x38537:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x38275:$a: NanoCore 0x38285:$a: NanoCore 0x384b9:$a: NanoCore 0x384cd:$a: NanoCore 0x3850d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x382d4:$b: ClientPlugin 0x384d6:$b: ClientPlugin 0x38516:$b: ClientPlugin 0x1007b:$c: ProjectData 0x383fb:$c: ProjectData 0x10a82:$d: DESCrypto 0x38e02:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x3850d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x384cd:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x3a426:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x38329:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x39b46:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x384fe:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4297e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x3aa7e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x3e771:$b7: LogClientException 0x1266b:$b8: PipeExists 0x3a9eb:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
0.0.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.e0000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4d495:$name: ConfuserEx 0x4cecb:$compile: AssemblyTitle
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x458dd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x4591a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4944d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x45655:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x458dd:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x46f16:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x46f0a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x47dbb:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4db72:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x45907:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x45645:$x1: NanoCore Client 0x45655:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4589d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x458dd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x45892:$i1: IClientApp 0x10163:$i2: IClientData 0x458b3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x458bf:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x458ce:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x458f7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x45907:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x45645:$a: NanoCore 0x45655:$a: NanoCore 0x45889:$a: NanoCore 0x4589d:$a: NanoCore 0x458dd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x456a4:$b: ClientPlugin 0x458a6:$b: ClientPlugin 0x458e6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x457cb:$c: ProjectData 0x10a82:$d: DESCrypto 0x461d2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x458dd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x4589d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x477f6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x456f9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x46f16:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x458ce:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4fd4e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x47e4e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x4bb41:$b7: LogClientException 0x1266b:$b8: PipeExists 0x47dbb:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0xb53b:$x1: NanoCore.ClientPluginHost 0x13469:$x1: NanoCore.ClientPluginHost 0x19444:$x1: NanoCore.ClientPluginHost 0x22eb7:$x1: NanoCore.ClientPluginHost 0x2af6a:$x1: NanoCore.ClientPluginHost 0x32d43:$x1: NanoCore.ClientPluginHost 0x3dd2d:$x1: NanoCore.ClientPluginHost 0x49adb:$x1: NanoCore.ClientPluginHost 0x5582e:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb574:$x2: IClientNetworkHost 0x134a2:$x2: IClientNetworkHost 0x23014:$x2: IClientNetworkHost 0x32d7c:$x2: IClientNetworkHost 0x3dd47:$x2: IClientNetworkHost 0x49af5:$x2: IClientNetworkHost 0x5586b:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0xb53b:$x2: NanoCore.ClientPluginHost 0x13469:$x2: NanoCore.ClientPluginHost 0x19444:$x2: NanoCore.ClientPluginHost 0x22eb7:$x2: NanoCore.ClientPluginHost 0x2af6a:$x2: NanoCore.ClientPluginHost 0x32d43:$x2: NanoCore.ClientPluginHost 0x3dd2d:$x2: NanoCore.ClientPluginHost 0x49adb:$x2: NanoCore.ClientPluginHost 0x5582e:$x2: NanoCore.ClientPluginHost 0x23e0d:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb63f:$s4: PipeCreated 0x13584:$s4: PipeCreated 0x19522:$s4: PipeCreated 0x230ad:$s4: PipeCreated 0x2b048:$s4: PipeCreated 0x32e8e:$s4: PipeCreated 0x3ed62:$s4: PipeCreated 0x4b886:$s4: PipeCreated 0x58c81:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b7:$x2: NanoCore.ClientPlugin 0x134e3:$x2: NanoCore.ClientPlugin 0x1948e:$x2: NanoCore.ClientPlugin 0x22fa1:$x2: NanoCore.ClientPlugin 0x2afb4:$x2: NanoCore.ClientPlugin 0x32de3:$x2: NanoCore.ClientPlugin 0x3dd04:$x2: NanoCore.ClientPlugin 0x49ab2:$x2: NanoCore.ClientPlugin 0x55809:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb53b:$x3: NanoCore.ClientPluginHost 0x13469:$x3: NanoCore.ClientPluginHost 0x19444:$x3: NanoCore.ClientPluginHost 0x22eb7:$x3: NanoCore.ClientPluginHost 0x2af6a:$x3: NanoCore.ClientPluginHost 0x32d43:$x3: NanoCore.ClientPluginHost 0x3dd2d:$x3: NanoCore.ClientPluginHost 0x49adb:$x3: NanoCore.ClientPluginHost 0x5582e:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb53b:$a: NanoCore 0xb5b7:$a: NanoCore 0xde9a:$a: NanoCore 0x13469:$a: NanoCore 0x134e3:$a: NanoCore 0x19444:$a: NanoCore 0x1948e:$a: NanoCore 0x1a0e8:$a: NanoCore 0x22eb7:$a: NanoCore 0x22fa1:$a: NanoCore 0x23e18:$a: NanoCore
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb53b:$a1: NanoCore.ClientPluginHost 0x13469:$a1: NanoCore.ClientPluginHost 0x19444:$a1: NanoCore.ClientPluginHost 0x22eb7:$a1: NanoCore.ClientPluginHost 0x2af6a:$a1: NanoCore.ClientPluginHost 0x32d43:$a1: NanoCore.ClientPluginHost 0x3dd2d:$a1: NanoCore.ClientPluginHost 0x49adb:$a1: NanoCore.ClientPluginHost 0x5582e:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5b7:$a2: NanoCore.ClientPlugin 0x134e3:$a2: NanoCore.ClientPlugin 0x1948e:$a2: NanoCore.ClientPlugin 0x22fa1:$a2: NanoCore.ClientPlugin 0x2afb4:$a2: NanoCore.ClientPlugin 0x32de3:$a2: NanoCore.ClientPlugin 0x3dd04:$a2: NanoCore.ClientPlugin 0x49ab2:$a2: NanoCore.ClientPlugin 0x55809:$a2: NanoCore.ClientPlugin 0x5581f:$b4: IClientAppHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1fb6f:$x1: NanoCore.ClientPluginHost 0x27a9d:$x1: NanoCore.ClientPluginHost 0x2da78:$x1: NanoCore.ClientPluginHost 0x374eb:$x1: NanoCore.ClientPluginHost 0x3f59e:$x1: NanoCore.ClientPluginHost 0x47377:$x1: NanoCore.ClientPluginHost 0x52361:$x1: NanoCore.ClientPluginHost 0x5e10f:$x1: NanoCore.ClientPluginHost 0x69e62:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1fba8:$x2: IClientNetworkHost 0x27ad6:$x2: IClientNetworkHost 0x37648:$x2: IClientNetworkHost 0x473b0:$x2: IClientNetworkHost 0x5237b:$x2: IClientNetworkHost 0x5e129:$x2: IClientNetworkHost 0x69e9f:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d17:$x2: NanoCore.ClientPluginHost 0x1fb6f:$x2: NanoCore.ClientPluginHost 0x27a9d:$x2: NanoCore.ClientPluginHost 0x2da78:$x2: NanoCore.ClientPluginHost 0x374eb:$x2: NanoCore.ClientPluginHost 0x3f59e:$x2: NanoCore.ClientPluginHost 0x47377:$x2: NanoCore.ClientPluginHost 0x52361:$x2: NanoCore.ClientPluginHost 0x5e10f:$x2: NanoCore.ClientPluginHost 0x69e62:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x38441:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e34:$s4: PipeCreated 0x1fc73:$s4: PipeCreated 0x27bb8:$s4: PipeCreated 0x2db56:$s4: PipeCreated 0x376e1:$s4: PipeCreated 0x3f67c:$s4: PipeCreated 0x474c2:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d93:$x2: NanoCore.ClientPlugin 0x1fbeb:$x2: NanoCore.ClientPlugin 0x27b17:$x2: NanoCore.ClientPlugin 0x2dac2:$x2: NanoCore.ClientPlugin 0x375d5:$x2: NanoCore.ClientPlugin 0x3f5e8:$x2: NanoCore.ClientPlugin 0x47417:$x2: NanoCore.ClientPlugin 0x52338:$x2: NanoCore.ClientPlugin 0x5e0e6:$x2: NanoCore.ClientPlugin 0x69e3d:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d17:$x3: NanoCore.ClientPluginHost 0x1fb6f:$x3: NanoCore.ClientPluginHost 0x27a9d:$x3: NanoCore.ClientPluginHost 0x2da78:$x3: NanoCore.ClientPluginHost 0x374eb:$x3: NanoCore.ClientPluginHost 0x3f59e:$x3: NanoCore.ClientPluginHost 0x47377:$x3: NanoCore.ClientPluginHost 0x52361:$x3: NanoCore.ClientPluginHost 0x5e10f:$x3: NanoCore.ClientPluginHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1fb6f:$a: NanoCore 0x1fbeb:$a: NanoCore 0x224ce:$a: NanoCore 0x27a9d:$a: NanoCore 0x27b17:$a: NanoCore 0x2da78:$a: NanoCore 0x2dac2:$a: NanoCore 0x2e71c:$a: NanoCore
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d17:$a1: NanoCore.ClientPluginHost 0x1fb6f:$a1: NanoCore.ClientPluginHost 0x27a9d:$a1: NanoCore.ClientPluginHost 0x2da78:$a1: NanoCore.ClientPluginHost 0x374eb:$a1: NanoCore.ClientPluginHost 0x3f59e:$a1: NanoCore.ClientPluginHost 0x47377:$a1: NanoCore.ClientPluginHost 0x52361:$a1: NanoCore.ClientPluginHost 0x5e10f:$a1: NanoCore.ClientPluginHost 0x69e62:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d93:$a2: NanoCore.ClientPlugin 0x1fbeb:$a2: NanoCore.ClientPlugin 0x27b17:$a2: NanoCore.ClientPlugin 0x2dac2:$a2: NanoCore.ClientPlugin 0x375d5:$a2: NanoCore.ClientPlugin 0x3f5e8:$a2: NanoCore.ClientPlugin 0x47417:$a2: NanoCore.ClientPlugin 0x52338:$a2: NanoCore.ClientPlugin 0x5e0e6:$a2: NanoCore.ClientPlugin
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x2bdaf:$x1: NanoCore.ClientPluginHost 0x33cdd:$x1: NanoCore.ClientPluginHost 0x39cb8:$x1: NanoCore.ClientPluginHost 0x4372b:$x1: NanoCore.ClientPluginHost 0x4b7de:$x1: NanoCore.ClientPluginHost 0x535b7:$x1: NanoCore.ClientPluginHost 0x5e5a1:$x1: NanoCore.ClientPluginHost 0x6a34f:$x1: NanoCore.ClientPluginHost 0x760a2:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x2bde8:$x2: IClientNetworkHost 0x33d16:$x2: IClientNetworkHost 0x43888:$x2: IClientNetworkHost 0x535f0:$x2: IClientNetworkHost 0x5e5bb:$x2: IClientNetworkHost 0x6a369:$x2: IClientNetworkHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14de5:$x2: NanoCore.ClientPluginHost 0x21f57:$x2: NanoCore.ClientPluginHost 0x2bdaf:$x2: NanoCore.ClientPluginHost 0x33cdd:$x2: NanoCore.ClientPluginHost 0x39cb8:$x2: NanoCore.ClientPluginHost 0x4372b:$x2: NanoCore.ClientPluginHost 0x4b7de:$x2: NanoCore.ClientPluginHost 0x535b7:$x2: NanoCore.ClientPluginHost 0x5e5a1:$x2: NanoCore.ClientPluginHost 0x6a34f:$x2: NanoCore.ClientPluginHost 0x760a2:$x2: NanoCore.ClientPluginHost 0x15db4:$s2: FileCommand 0x44681:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7b6:$s4: PipeCreated 0x22074:$s4: PipeCreated 0x2beb3:$s4: PipeCreated 0x33df8:$s4: PipeCreated 0x39d96:$s4: PipeCreated 0x43921:$s4: PipeCreated
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14dbf:$x2: NanoCore.ClientPlugin 0x21fd3:$x2: NanoCore.ClientPlugin 0x2be2b:$x2: NanoCore.ClientPlugin 0x33d57:$x2: NanoCore.ClientPlugin 0x39d02:$x2: NanoCore.ClientPlugin 0x43815:$x2: NanoCore.ClientPlugin 0x4b828:$x2: NanoCore.ClientPlugin 0x53657:$x2: NanoCore.ClientPlugin 0x5e578:$x2: NanoCore.ClientPlugin 0x6a326:$x2: NanoCore.ClientPlugin 0x7607d:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14de5:$x3: NanoCore.ClientPluginHost 0x21f57:$x3: NanoCore.ClientPluginHost 0x2bdaf:$x3: NanoCore.ClientPluginHost 0x33cdd:$x3: NanoCore.ClientPluginHost 0x39cb8:$x3: NanoCore.ClientPluginHost 0x4372b:$x3: NanoCore.ClientPluginHost 0x4b7de:$x3: NanoCore.ClientPluginHost 0x535b7:$x3: NanoCore.ClientPluginHost
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x2bdaf:$a: NanoCore 0x2be2b:$a: NanoCore 0x2e70e:$a: NanoCore 0x33cdd:$a: NanoCore 0x33d57:$a: NanoCore
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14de5:$a1: NanoCore.ClientPluginHost 0x21f57:$a1: NanoCore.ClientPluginHost 0x2bdaf:$a1: NanoCore.ClientPluginHost 0x33cdd:$a1: NanoCore.ClientPluginHost 0x39cb8:$a1: NanoCore.ClientPluginHost 0x4372b:$a1: NanoCore.ClientPluginHost 0x4b7de:$a1: NanoCore.ClientPluginHost 0x535b7:$a1: NanoCore.ClientPluginHost 0x5e5a1:$a1: NanoCore.ClientPluginHost 0x6a34f:$a1: NanoCore.ClientPluginHost 0x760a2:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14dbf:$a2: NanoCore.ClientPlugin 0x21fd3:$a2: NanoCore.ClientPlugin 0x2be2b:$a2: NanoCore.ClientPlugin 0x33d57:$a2: NanoCore.ClientPlugin 0x39d02:$a2: NanoCore.ClientPlugin 0x43815:$a2: NanoCore.ClientPlugin 0x4b828:$a2: NanoCore.ClientPlugin 0x53657:$a2: NanoCore.ClientPlugin
Click to see the 77 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, ProcessId: 5368, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497052810290 02/04/23-04:02:37.885591
SID:	2810290
Source Port:	6755
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970067552816718 02/04/23-04:02:18.413039
SID:	2816718
Source Port:	49700
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971167552816766 02/04/23-04:03:22.114925
SID:	2816766
Source Port:	49711
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970867552816766 02/04/23-04:02:58.659576
SID:	2816766
Source Port:	49708
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971367552816766 02/04/23-04:03:34.873002
SID:	2816766
Source Port:	49713
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971367552816718 02/04/23-04:03:32.601666
SID:	2816718
Source Port:	49713
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971667552816766 02/04/23-04:03:58.093532
SID:	2816766
Source Port:	49716
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497122841753 02/04/23-04:03:27.123757
SID:	2841753
Source Port:	6755
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497032841753 02/04/23-04:02:24.159041
SID:	2841753
Source Port:	6755
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970567552816766 02/04/23-04:02:38.804523
SID:	2816766
Source Port:	49705
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971567552816766 02/04/23-04:03:50.787453
SID:	2816766
Source Port:	49715
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970767552816766 02/04/23-04:02:51.380389
SID:	2816766
Source Port:	49707
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970367552816766 02/04/23-04:02:24.379082
SID:	2816766
Source Port:	49703
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970967552816766 02/04/23-04:03:05.988800
SID:	2816766
Source Port:	49709
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971267552816766 02/04/23-04:03:27.448220
SID:	2816766
Source Port:	49712
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971767552816766 02/04/23-04:04:04.561310
SID:	2816766
Source Port:	49717
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 213.152.161.85 - Destination IP: 192.168.2.3

Timestamp:	213.152.161.85192.168.2.36755497112841753 02/04/23-04:03:22.044641
SID:	2841753
Source Port:	6755
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970067552816766 02/04/23-04:02:19.457207
SID:	2816766
Source Port:	49700
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970667552816766 02/04/23-04:02:45.198697
SID:	2816766
Source Port:	49706
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971467552816766 02/04/23-04:03:42.744453
SID:	2816766
Source Port:	49714
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854970467552816766 02/04/23-04:02:30.984485
SID:	2816766
Source Port:	49704
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 213.152.161.85

Timestamp:	192.168.2.3213.152.161.854971067552816766 02/04/23-04:03:16.374407
SID:	2816766
Source Port:	49710
Destination Port:	6755
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	ReversingLabs: Detection: 44%
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Virustotal: Detection: 56%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Avira: detected

Antivirus detection for URL or domain

Source: servicepoint.duckdns.org

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: servicepoint.duckdns.org	Virustotal: Detection: 11%			Perma Link
Source: servicepoint.duckdns.org	Virustotal: Detection: 11%			Perma Link

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Avira: detection malicious, Label: HEUR/AGEN.1202424

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 44%
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 56%			Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

Machine Learning detection for sample

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b210040d-15e5-44d6-9102-34199926", "Group": "Default", "Domain1": "servicepoint.duckdns.org", "Domain2": "", "Port": 6755, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49700 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49700 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49703 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49703
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49704 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49705 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 213.152.161.85:6755 -> 192.168.2.3:49705
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49706 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49707 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49708 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49709 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49710 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49711 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49711
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 213.152.161.85:6755 -> 192.168.2.3:49712
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49712 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49713 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49713 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49714 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49715 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49716 -> 213.152.161.85:6755
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49717 -> 213.152.161.85:6755

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: servicepoint.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: servicepoint.duckdns.org

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

Source: Joe Sandbox View

IP Address: 213.152.161.85 213.152.161.85

Source: global traffic

TCP traffic: 192.168.2.3:49700 -> 213.152.161.85:6755

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://google.com

Source: unknown

DNS traffic detected: queries for: servicepoint.duckdns.org

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

PE file has nameless sections

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name:
Source: dhcpmon.exe.1.dr	Static PE information: section name:

PE file contains section with special chars

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name: 4SUP}s
Source: dhcpmon.exe.1.dr	Static PE information: section name: 4SUP}s

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, type: SAMPLE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37617ac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37f4434.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37dfe00.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.37d3bc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, score = 2021-01-22, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2021-01-25

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951C20	0_2_04951C20
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049515E9	0_2_049515E9
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950E00	0_2_04950E00
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950A58	0_2_04950A58
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951C11	0_2_04951C11
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951005	0_2_04951005
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495080A	0_2_0495080A
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04951052	0_2_04951052
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495084C	0_2_0495084C
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950463	0_2_04950463
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950592	0_2_04950592
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495018E	0_2_0495018E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950DD1	0_2_04950DD1
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495015E	0_2_0495015E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950565	0_2_04950565
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049506A8	0_2_049506A8
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049502D4	0_2_049502D4
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049502C2	0_2_049502C2
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049506E0	0_2_049506E0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950231	0_2_04950231
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_0495023C	0_2_0495023C
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04950388	0_2_04950388
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049507A7	0_2_049507A7
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049507D5	0_2_049507D5
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_049503F0	0_2_049503F0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_04A173F6	0_2_04A173F6
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A2FA8	1_2_033A2FA8
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A23A0	1_2_033A23A0
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A8798	1_2_033A8798
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033AAE38	1_2_033AAE38
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A3850	1_2_033A3850
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A9398	1_2_033A9398
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A306F	1_2_033A306F
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A945F	1_2_033A945F
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 1_2_033A9C40	1_2_033A9C40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960A58	2_2_02960A58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960E00	2_2_02960E00
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961C20	2_2_02961C20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029602D4	2_2_029602D4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029602C2	2_2_029602C2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960231	2_2_02960231
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296023C	2_2_0296023C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960388	2_2_02960388
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029603F0	2_2_029603F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961005	2_2_02961005
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296080A	2_2_0296080A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02961052	2_2_02961052
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296084C	2_2_0296084C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296018E	2_2_0296018E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_0296015E	2_2_0296015E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029606A8	2_2_029606A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029606E0	2_2_029606E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029607A7	2_2_029607A7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_029607D5	2_2_029607D5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960C40	2_2_02960C40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960463	2_2_02960463
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960592	2_2_02960592
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_02960565	2_2_02960565
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_05267330	2_2_05267330
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_05267320	2_2_05267320

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: Section: 4SUP}s ZLIB complexity 1.000383148923445
Source: dhcpmon.exe.1.dr	Static PE information: Section: 4SUP}s ZLIB complexity 1.000383148923445

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	ReversingLabs: Detection: 44%
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File read: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_00A8B00E AdjustTokenPrivileges,	0_2_00A8B00E
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Code function: 0_2_00A8AFD7 AdjustTokenPrivileges,	0_2_00A8AFD7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_00DCB4CA AdjustTokenPrivileges,	2_2_00DCB4CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 2_2_00DCB493 AdjustTokenPrivileges,	2_2_00DCB493

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@16/2

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\???????
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b210040d-15e5-44d6-9102-34199926a203}

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Code function: 2_2_051A6E30 pushad ; retf

2_2_051A6E31

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name: 4SUP}s
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Static PE information: section name:
Source: dhcpmon.exe.1.dr	Static PE information: section name: 4SUP}s
Source: dhcpmon.exe.1.dr	Static PE information: section name:

Source: initial sample	Static PE information: section name: 4SUP}s entropy: 7.998441047887134
Source: initial sample	Static PE information: section name: 4SUP}s entropy: 7.998441047887134

Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

File opened: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 5320	Thread sleep time: -1520000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe TID: 628	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Window / User API: foregroundWindowGot 825			Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Window / User API: foregroundWindowGot 769			Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Code function: 0_2_04952411 LdrInitializeThunk,

0_2_04952411

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Memory written: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Process created: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to behavior

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.513465450.0000000001583000.00000004.00000020.00020000.00000000.sdmp, HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.352138949.000000000159A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerl
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.380630900.000000000154C000.00000004.00000020.00020000.00000000.sdmp, HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.319503227.0000000001541000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager$:

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.382f160.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.3904858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38574e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.38a7bb8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 4864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe PID: 5368, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	2 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	112 Process Injection	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	112 Process Injection	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Obfuscated Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	12 Software Packing	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	57%	Virustotal		Browse
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	100%	Avira	HEUR/AGEN.1202424
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	HEUR/AGEN.1202424
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	57%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1208316		Download File
0.0.HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.e0000.0.unpack	100%	Avira	HEUR/AGEN.1202424		Download File

Domains

Source	Detection	Scanner	Label	Link
servicepoint.duckdns.org	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
servicepoint.duckdns.org	100%	Avira URL Cloud	malware
servicepoint.duckdns.org	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
servicepoint.duckdns.org	213.152.161.85	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
servicepoint.duckdns.org	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.152.161.85	servicepoint.duckdns.org	Netherlands		49453	GLOBALLAYERNL	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	798399
Start date and time:	2023-02-04 04:01:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/8@16/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 350 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 209.197.3.8
Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Execution Graph export aborted for target HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, PID 5368 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:02:01	API Interceptor	838x Sleep call for process: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe modified
04:02:03	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
04:02:14	API Interceptor	1x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
213.152.161.85	GRACED SON.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.RATX-gen.30795.11129.exe	Get hash	malicious	Browse
	PDF.exe	Get hash	malicious	Browse
	u41Y6oxDDd.exe	Get hash	malicious	Browse
	ccsetup120.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
servicepoint.duckdns.org	C76CECD2DA3F218E46C4D2EC8DF95176634C13E35F885.exe	Get hash	malicious	Browse	141.98.102.187
	csI4BNCRrK.exe	Get hash	malicious	Browse	213.152.187.210
	XPzTHI4qGa.exe	Get hash	malicious	Browse	134.19.179.179
	GCNJrvb044.exe	Get hash	malicious	Browse	185.156.175.51

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GLOBALLAYERNL	2c3u2mB7UQ.elf	Get hash	malicious	Browse	213.152.184.159
	SecuriteInfo.com.Variant.Barys.281.3263.32018.exe	Get hash	malicious	Browse	213.152.161.69
	vmware.exe	Get hash	malicious	Browse	5.188.86.237
	VMzq2PxZ1r.exe	Get hash	malicious	Browse	213.152.161.118
	windll32.exe	Get hash	malicious	Browse	213.152.161.249
	SecuriteInfo.com.Win32.PWSX-gen.22914.24244.exe	Get hash	malicious	Browse	213.152.161.118
	SecuriteInfo.com.Win32.PWSX-gen.2533.19730.exe	Get hash	malicious	Browse	213.152.161.118
	7f.dll.dll	Get hash	malicious	Browse	5.188.86.18
	04.dll.dll	Get hash	malicious	Browse	45.227.253.102
	7c.dll.dll	Get hash	malicious	Browse	5.188.86.18
	ECEX2240 304 sheets 42.047mt RFQ-221115-1.js	Get hash	malicious	Browse	134.19.179.235
	http://5.188.87.3	Get hash	malicious	Browse	5.188.87.3
	BLESSEDMI.exe	Get hash	malicious	Browse	213.152.161.5
	SecuriteInfo.com.Variant.Lazy.261382.5819.8689.exe	Get hash	malicious	Browse	213.152.186.40
	GRACED SON.exe	Get hash	malicious	Browse	213.152.161.85
	SecuriteInfo.com.Win32.RATX-gen.30795.11129.exe	Get hash	malicious	Browse	213.152.161.85
	SecuriteInfo.com.Win32.RATX-gen.20187.5922.exe	Get hash	malicious	Browse	213.152.162.94
	eV5pnwjJJD.elf	Get hash	malicious	Browse	213.152.182.82
	Nl0U0feFr9.exe	Get hash	malicious	Browse	91.240.118.160
	Wlrn9LJUFX.exe	Get hash	malicious	Browse	213.152.186.173

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	924672
Entropy (8bit):	6.4582092585373525
Encrypted:	false
SSDEEP:	12288:pLYT+m0qD8CEULAfPpIuG1JZnXiGDyQics5Ec0Y7JOfEhvlQd9DiTsOzLnWIKBlK:pE+K4ozvtYpjsBhX
MD5:	8C4F47A96A1F9F58AB28A2353627C153
SHA1:	4E7E9F7C7D630E2406FE76AD1576D35A773E9E06
SHA-256:	E1CFEEAABCFA9339523FAE340820F04895C7A8332B806FD4E813343516928DDE
SHA-512:	E251A5109139F7440F9E515F8132DC4116E59E29A0CDD2C9FC2DF2EE70B975EB6F8C1E373E5401C0B39A4D8BA9894EA3CCC7645E2C314214D787DFFF28D28478
Malicious:	true
Yara Hits:	Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Arnim Rupp
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 57%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.X.....................P............... ....@.. ...............................'....@.................................`...K....... ...............................................................................................H...........4SU.P.}s..... ......................@....text...H........................... ..`.rsrc... ............l..............@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.log

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
MD5:	80EFBEC081D7836D240503C4C9465FEC
SHA1:	6AF398E08A359457083727BAF296445030A55AC3
SHA-256:	C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
SHA-512:	DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.285418593366258
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2+gYhD5iv:MLF20NaL3z2p29hJ5g522rW2+g2+
MD5:	63CC04E8E9DBE6842611C2E6E948F8FA
SHA1:	61F604AF4DABFEC36C39555FE4A32D1D6417927C
SHA-256:	0EDC65EF06683A15D2C8B6A455F8A29B29AE729069096A060D6C75E12AB0EB60
SHA-512:	57A4B08AEC6F1663C50AFF9259EEBFA50CCE8C4B406555E8522DCCF1E0DA03DA3686AE8208045D4ADC574396B9D8AD87B6C0D64FACE82AC913D2EBEC9A11700E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d83c619a3e1d3\System.Xml.ni.dll",0..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	7.094528505897445
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7r3l3TmKEt5mT1DhFtMhXvvHOxHB3GDq:X4LEnybgCFCtvd7bl3ThE4T19FtMhXvs
MD5:	061E700FE27D852034A5A44BF5985CCF
SHA1:	15B072DE6D6FDD92AE36F074345FA41985833E8D
SHA-256:	4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
SHA-512:	CF6C5458AB50C859740490985D1E7E887D1116F3FA947FF2EC49AF9997A42F3402C63EF42B93498544195D9859FBB19CCC295966564B30F5ADB4A36D4E8886C6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..O*V..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.w

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:nS:nS
MD5:	936600CAA6F0F7229FF1F3E8F92BE5EB
SHA1:	311583C4CA7235B76A80EBF66DABB67119877474
SHA-256:	2632A97CC041EF4110299290C537C046021994E5A5C0E5970D6C6A7E11F917CD
SHA-512:	247551FBCD4BD20952910B2B33BDA3674558D71A24C16B8F9162CCC8D032CB0E7CFA0C85EC63E12200D46ACDECD5484BBB3653B64CABDE1538F8B2BB2CB1AA0E
Malicious:	true
Preview:	......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File Type:	data
Category:	dropped
Size (bytes):	433688
Entropy (8bit):	7.999519077450246
Encrypted:	true
SSDEEP:	12288:dcRKtiKlC1FGhWjoORvi5oCILR9Eax5uoj:KRCiKECCGoD9Eaioj
MD5:	D2D87B1E9F691E38698A9683C9E213C1
SHA1:	87FAA25A212348CCD20567929D52A0ADE5BE07CE
SHA-256:	4115C31136A8A8F4642D3F5E7032A248381FCF36B047CFD911F974600F140039
SHA-512:	541F3C4C9CA97C085065FA5881D9A336F0BE474C90D1C65379CA7CB7F084B6496ED52A61F9133FD29DE5DB57C2B1F2CC302498579C5A158F823612EAC248C5DC
Malicious:	false
Preview:	.........O.......\8..5N..`S.]..[r.$>.\.#v&..$.......Z.i..M.Mn5.@..@...3.R..Y...}>C.b....Z........K..^.d...Z...K.#...dn$e ..XP.^.#.......V...dB.Kn.Y.c..-k....M.D...Q.S..R.X.........._...Zz...#.=<.V.NHZq.h..ON..oq.:...,7H....../..Q..R.u6.."....<.`..z.5b($..9.CF.F1...o?.h.}....;Ay....kL}7...I.-.}..D&...C....%.J..+..1.5.a..Ih....s........G..?..9^0e...p..FCvNt.e...B/...y.h.G.0..o,Q.2[..........e.P8.....yr.....Q....../..S..m.......\.wA.a1.]...oW........PY..h....f:.....Ss.....\.8...@R._A...M..X....V.f).]z..u{.z-....W...NaT+.&:...1.D../.7..\.S..z..!.....#..F.d.......m'..........6.2....:H...bd].._......}.n.=...l.7%r.>...B.Q.K..q...Ex.6.6....P..^...i...Mx...;g...,t..fCd.\.b....e{.\...Y=4......+..T....j}..\|66g.s...z...Y.kTi..?Xy...5\...SO..W.U.3A.$.l..{.D...no.E..v.2.:..a..hdhO..t.w.k..T\|Po.....D?..mG.[.2.;....+...8.6.h!..w.3...w.o.....\|....f.v.to.B.{`o..a.....f.cu..........?......"...u..EA...^)W..z..jtU{^......5#....y.s.......e.l..&...%...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.4582092585373525
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
File size:	924672
MD5:	8c4f47a96a1f9f58ab28a2353627c153
SHA1:	4e7e9f7c7d630e2406fe76ad1576d35a773e9e06
SHA256:	e1cfeeaabcfa9339523fae340820f04895c7a8332b806fd4e813343516928dde
SHA512:	e251a5109139f7440f9e515f8132dc4116e59e29a0cdd2c9fc2df2ee70b975eb6f8c1e373e5401c0b39a4d8ba9894ea3ccc7645e2c314214d787dfff28d28478
SSDEEP:	12288:pLYT+m0qD8CEULAfPpIuG1JZnXiGDyQics5Ec0Y7JOfEhvlQd9DiTsOzLnWIKBlK:pE+K4ozvtYpjsBhX
TLSH:	6C15FF9835203E9ECC5FC471DB791FE49E137E66430AC1D3643B29A9BA9C486CE543A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.X.....................P............... ....@.. ...............................'....@................................

File Icon


Icon Hash:	f0d6e66799bcc678

Static PE Info

General

Entrypoint:	0x4ea00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x58016ADD [Fri Oct 14 23:31:41 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004EA000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e860	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0x5ab20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xea000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x1e000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
4SUP}s	0x2000	0x1a110	0x1a200	False	1.000383148923445	data	7.998441047887134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x1e000	0x6c448	0x6c600	False	0.6105757100634371	data	6.673125048528245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0x5ab20	0x5ac00	False	0.11296918044077135	data	4.047706271353626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe8000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xea000	0x10	0x200	False	0.046875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x8c1d8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144
RT_ICON	0xce200	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536
RT_ICON	0xdea28	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384
RT_ICON	0xe2c50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0xe51f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0xe62a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024
RT_GROUP_ICON	0xe6708	0x5a	data
RT_VERSION	0xe6764	0x3bc	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
213.152.161.85192.168.2.36755497052810290 02/04/23-04:02:37.885591	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	6755	49705	213.152.161.85	192.168.2.3
192.168.2.3213.152.161.854970067552816718 02/04/23-04:02:18.413039	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49700	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971167552816766 02/04/23-04:03:22.114925	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49711	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970867552816766 02/04/23-04:02:58.659576	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971367552816766 02/04/23-04:03:34.873002	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49713	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971367552816718 02/04/23-04:03:32.601666	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49713	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971667552816766 02/04/23-04:03:58.093532	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	6755	192.168.2.3	213.152.161.85
213.152.161.85192.168.2.36755497122841753 02/04/23-04:03:27.123757	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6755	49712	213.152.161.85	192.168.2.3
213.152.161.85192.168.2.36755497032841753 02/04/23-04:02:24.159041	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6755	49703	213.152.161.85	192.168.2.3
192.168.2.3213.152.161.854970567552816766 02/04/23-04:02:38.804523	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971567552816766 02/04/23-04:03:50.787453	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970767552816766 02/04/23-04:02:51.380389	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970367552816766 02/04/23-04:02:24.379082	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970967552816766 02/04/23-04:03:05.988800	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971267552816766 02/04/23-04:03:27.448220	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971767552816766 02/04/23-04:04:04.561310	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	6755	192.168.2.3	213.152.161.85
213.152.161.85192.168.2.36755497112841753 02/04/23-04:03:22.044641	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	6755	49711	213.152.161.85	192.168.2.3
192.168.2.3213.152.161.854970067552816766 02/04/23-04:02:19.457207	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49700	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970667552816766 02/04/23-04:02:45.198697	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971467552816766 02/04/23-04:03:42.744453	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49714	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854970467552816766 02/04/23-04:02:30.984485	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	6755	192.168.2.3	213.152.161.85
192.168.2.3213.152.161.854971067552816766 02/04/23-04:03:16.374407	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	6755	192.168.2.3	213.152.161.85

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2023 04:02:04.611284971 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:07.613686085 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:13.629790068 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:15.676836967 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:15.680389881 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.111125946 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.205787897 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.205946922 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.322611094 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.322686911 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.392013073 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.420710087 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.528934002 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.529026031 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.638359070 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.658832073 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.666656017 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.666857958 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.673273087 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.681354046 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.681562901 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.688656092 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.696311951 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.696590900 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.703542948 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.711205959 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.711426973 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.719104052 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.726268053 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.726416111 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.739782095 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.747046947 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.747176886 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.754599094 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.761791945 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.761902094 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.770402908 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.777575970 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.777683020 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.785461903 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.792680979 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.792895079 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.801043034 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.808748007 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.809031010 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.816339016 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.823241949 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.823446989 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.832508087 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.839982986 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.840135098 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.846998930 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.854598999 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.854706049 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.861953974 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.869898081 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.870024920 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.877110958 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.884836912 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.884959936 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.913599968 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.921849012 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.922086954 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.929075003 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.937515974 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.937809944 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.944855928 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.952564001 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.952915907 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.960236073 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.967772961 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.967920065 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.975361109 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.983282089 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.983412981 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:16.991182089 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.998938084 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:16.999104023 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.006727934 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.014380932 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.014542103 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.022173882 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.029648066 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.029809952 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.037746906 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.045418978 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.045552015 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.053241968 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.060940981 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.061116934 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.069979906 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.077694893 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.077814102 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.085335016 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.093101978 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.093220949 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.100375891 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.108539104 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.108741999 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.116328955 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.124355078 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.124470949 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.131817102 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.139739037 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.139930964 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.147165060 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.154736042 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.154925108 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.162503004 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.170200109 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.170375109 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.178278923 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.185858011 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.186032057 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.193615913 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.201102018 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.201308012 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.209151030 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.216532946 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.216794014 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.225620985 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.233153105 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.233413935 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.241090059 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.248408079 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.248594046 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.258687019 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.266408920 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.266542912 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.273924112 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.281920910 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.282095909 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.292325974 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.300101995 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.300328970 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.307882071 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.315546989 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.315649033 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.326781988 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.334594965 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.334742069 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.342266083 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.350146055 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.350356102 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.358031034 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.365863085 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.366142988 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.373344898 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.381098032 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.381179094 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.388833046 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.396737099 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.396856070 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.405239105 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.413211107 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.413530111 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.424818039 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.432643890 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.432909012 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.437613010 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.443526983 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.443619967 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.451415062 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.451710939 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.461823940 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.462095976 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.469585896 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.469850063 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.477660894 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.477876902 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.485239983 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.485441923 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.494151115 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.494246006 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.501471996 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.501595974 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.510386944 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.510463953 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.518429995 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.518532038 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.525762081 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.525998116 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.533869982 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.533941031 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.544290066 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.544519901 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.552232027 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.552452087 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.559674978 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.559855938 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.567780018 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.568099022 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.576442957 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.576745033 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.584211111 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.584386110 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.594715118 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.594857931 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.602300882 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.602415085 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.611212969 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.611335039 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.619122982 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.619398117 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.628329992 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.628446102 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.636192083 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.636466026 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.646971941 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.647167921 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.654459953 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.654674053 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.663014889 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.663343906 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.671046972 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.671307087 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.678386927 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.678522110 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.686742067 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.687027931 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.695382118 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.695545912 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.703207970 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.703284979 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.715279102 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.715506077 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.722934008 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.723159075 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.732680082 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.732881069 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.740530968 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.740664005 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.750411987 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.750638008 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.757672071 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.757925034 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.767760038 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.767899990 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.770842075 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.775103092 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.775247097 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.783413887 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.783565998 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.790924072 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.791075945 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.799688101 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.799971104 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.807168961 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.807317972 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.814821005 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.814938068 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.823093891 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.823261023 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.832482100 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.832668066 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.840411901 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.840552092 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.851032019 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.851231098 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.858851910 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.859059095 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.867635965 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.867814064 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.876127005 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.883889914 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.884187937 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.893166065 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.900459051 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.900616884 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.910387039 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.917706013 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.917884111 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.925400972 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.932919025 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.933126926 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.941061020 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.950226068 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.950531960 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.957853079 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.965554953 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.965823889 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.973676920 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.980777025 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.980926991 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:17.988688946 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.997292995 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:17.997399092 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.005361080 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.013006926 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.013142109 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.016980886 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.020975113 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.021054983 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.028376102 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.028516054 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.036103010 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.036504984 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.044215918 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.044456005 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.051572084 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.051846027 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.060539007 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.060714006 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.069000959 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.069216967 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.078306913 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.078396082 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.085625887 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.085788012 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.093736887 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.093812943 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.101208925 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.101286888 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.108612061 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.108685017 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.117697954 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.117779016 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.126565933 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.126629114 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.134907007 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.135008097 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.144035101 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.144304991 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.151515961 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.151731968 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.167511940 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.167701960 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.180704117 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.180859089 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.187052011 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.187119961 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.195338964 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.195574045 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.196599007 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.203870058 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.203986883 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.212025881 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.212161064 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.220731974 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.220853090 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.230118990 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.230283976 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.237421036 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.237605095 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.245537043 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.245703936 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.254609108 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.254761934 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.263066053 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.263267040 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.270354033 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.270484924 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.278239965 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.278357029 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.285767078 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.285851002 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.294231892 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.294361115 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.301455975 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.301538944 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.308934927 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.308985949 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.316880941 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.316961050 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.324439049 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.324521065 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.332400084 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.332465887 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.339741945 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.339813948 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.347744942 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.347852945 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.355186939 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.355254889 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.366034985 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.366134882 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.372419119 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.372540951 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.380378008 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.381407976 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.381531000 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.389159918 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.389262915 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.397320986 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.397413969 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.404918909 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.405030012 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.412954092 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.413038969 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.420651913 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.420727015 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.428834915 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.428901911 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.437047958 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.437139034 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.444412947 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.444480896 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.452558041 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.452639103 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.460064888 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.460134029 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.468705893 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.469626904 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.476613045 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.476741076 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.501437902 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.501524925 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.508622885 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.508738995 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.518493891 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.518604040 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.524921894 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.525003910 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.533049107 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.533133030 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.541492939 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.541562080 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.550884008 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.550949097 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.557923079 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.557990074 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.566365957 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.566438913 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.573723078 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.573792934 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.581129074 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.581216097 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.592232943 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.592355967 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.600102901 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.600198030 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.607557058 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.607625961 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.615235090 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.615446091 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.623367071 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.623435020 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.630779028 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.630916119 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.639524937 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.640788078 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.647207975 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.647308111 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.655175924 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.655258894 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.662808895 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.662909985 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.670855045 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.670941114 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.678297043 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.678422928 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.686270952 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.686391115 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.693593025 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.693674088 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.701823950 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.701922894 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.713500023 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.713570118 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.723020077 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.723093033 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.732419968 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.732491970 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.741436005 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.741528988 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.754914999 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.754997969 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.762268066 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.762331009 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.771959066 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.772027016 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.780376911 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.780447006 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.788326979 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.788408041 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.798890114 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.798964024 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.807529926 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.807691097 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.807863951 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.816009045 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.816169024 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.824103117 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.824166059 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.831507921 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.831573963 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.838979006 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.839063883 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.846761942 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.846864939 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.854477882 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.854577065 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.862371922 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.862466097 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.870843887 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.870965958 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.878555059 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.878648996 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.886843920 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.886969090 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.894932985 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.895037889 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.906546116 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.906902075 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.913997889 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.914097071 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.921782017 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.921890974 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.930155993 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.930254936 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.937388897 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.937505007 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.945180893 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.945257902 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.952591896 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.952665091 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.960724115 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.960786104 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.967891932 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.967999935 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.975825071 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.975910902 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.983441114 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.983511925 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:18.991419077 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:18.991494894 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:19.000438929 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.000514984 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:19.006934881 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.007080078 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:19.016021967 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.016220093 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:19.017729044 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.019728899 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.031738043 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.040250063 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.042587996 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.057142973 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:19.163389921 CET	6755	49700	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:19.457206964 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:19.457902908 CET	49700	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:23.863065958 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:23.930397034 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:23.930749893 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:23.931317091 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.022742987 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:24.023159981 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.092273951 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:24.092511892 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.159040928 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:24.159398079 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.269710064 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:24.269970894 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.378985882 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:24.379081964 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.427958012 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.443586111 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:24.443665028 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:24.445368052 CET	6755	49703	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:24.445444107 CET	49703	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:28.830555916 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:28.897114992 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:28.897274017 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.032124996 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.123166084 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.123306990 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.228849888 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.228960991 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.298415899 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.298685074 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.417432070 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.417538881 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.528500080 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.528652906 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.638621092 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.638799906 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.687483072 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.705185890 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.705305099 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.775166988 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.818691969 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.844729900 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:29.956442118 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:29.956535101 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.023416042 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.023586988 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.090075016 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.090234041 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.210438967 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.210571051 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.318085909 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.318181038 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.432480097 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.432581902 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.539076090 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.539170027 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.650305033 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.650438070 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.761452913 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.761564016 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.870903969 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.871006966 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:30.981093884 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:30.984484911 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:31.100378036 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:31.106451988 CET	6755	49704	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:31.106549025 CET	49704	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:36.971297979 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.037975073 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.038116932 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.038566113 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.123677015 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.123923063 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.239403009 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.239607096 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.309010029 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.325562000 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.446753979 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.446877003 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.555422068 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.555547953 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.574819088 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.574992895 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.621148109 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.621325016 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.688762903 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.710596085 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.777909040 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.778733015 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.778912067 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.818025112 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.885591030 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.885790110 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:37.952649117 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:37.952892065 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.058775902 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.058991909 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.172308922 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.194931030 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.311373949 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.311573982 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.423062086 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.423304081 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.538552999 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.538692951 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.663696051 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.663966894 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.786294937 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.804522991 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.882486105 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:38.926918030 CET	6755	49705	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:38.927144051 CET	49705	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.103799105 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.172743082 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:43.174273968 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.176142931 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.264159918 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:43.265760899 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.383977890 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:43.386172056 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.457882881 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:43.461050987 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.573858976 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:43.574172020 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:43.683228016 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:43.734251976 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.038857937 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.105792046 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.106051922 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.106357098 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.108675003 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.108793974 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.218365908 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.218486071 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.285079956 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.285238981 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.353239059 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.354898930 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.472441912 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.473850965 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.583545923 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.605889082 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.725240946 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.726066113 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.838709116 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.839160919 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:44.950546980 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:44.950738907 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:45.062326908 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:45.070738077 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:45.192850113 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:45.198697090 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:45.291122913 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:45.314716101 CET	6755	49706	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:45.314896107 CET	49706	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.405846119 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.473258018 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:49.473398924 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.474051952 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.560601950 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:49.560760975 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.686213970 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:49.686322927 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.755584002 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:49.755688906 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.875868082 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:49.876027107 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:49.988931894 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:49.990993977 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.107125998 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.109427929 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.176651001 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.221291065 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.333481073 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.333826065 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.404122114 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.445482969 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.480962038 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.511938095 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.512501001 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.578501940 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.578847885 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.698729992 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.711519003 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.825803995 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:50.852336884 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:50.971364975 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:51.018693924 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:51.130934000 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:51.131325960 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:51.252368927 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:51.255759001 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:51.380233049 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:51.380388975 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:51.477128029 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:51.503947020 CET	6755	49707	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:51.504169941 CET	49707	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.286195040 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.352798939 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:56.352957010 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.414526939 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.504443884 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:56.504534006 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.614001036 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:56.614075899 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.683459044 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:56.683542013 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.807117939 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:56.807274103 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:56.928006887 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:56.928086996 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.323281050 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.323398113 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.325711012 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.394140959 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.396070957 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.489080906 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.491823912 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.557849884 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.562781096 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.684144020 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.686748981 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.753772020 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.782109976 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.848251104 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.866607904 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:57.982773066 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:57.983467102 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:58.091511965 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:58.091758013 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:58.208704948 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:58.209455967 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:58.331172943 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:58.428584099 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:58.551220894 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:58.551325083 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:58.659491062 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:58.659575939 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:02:58.771270037 CET	6755	49708	213.152.161.85	192.168.2.3
Feb 4, 2023 04:02:58.826838970 CET	49708	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:03.278798103 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:03.886986971 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:03.887797117 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:03.923029900 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:04.679256916 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:04.681839943 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:04.919014931 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:04.920773983 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:04.990075111 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:04.990255117 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.104291916 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.104427099 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.216866016 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.216995955 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.339670897 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.339869022 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.448601961 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.472156048 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.476275921 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.525083065 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.538671970 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.538862944 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.594890118 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.649876118 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.681893110 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.682008982 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.753900051 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.754024029 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.825232029 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.869765997 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.874803066 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:05.988676071 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:05.988800049 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:06.097373009 CET	6755	49709	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:06.118845940 CET	49709	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:11.794024944 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:11.861427069 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:11.861650944 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:11.924217939 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:12.012799025 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:12.012912035 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:12.128454924 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:12.128611088 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:12.197913885 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:12.244391918 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:13.009972095 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:13.122013092 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:13.140367031 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:13.260792017 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:13.269752026 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:13.387749910 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:13.421130896 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:13.619365931 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:13.686425924 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:13.728729010 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:14.166028023 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:14.287858009 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:14.465775013 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:14.532919884 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:14.533083916 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:14.605108023 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:14.728780985 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:14.940949917 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:15.062127113 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:15.062268972 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:15.172966957 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:15.173094988 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:15.285190105 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:15.285866976 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:15.394635916 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:15.394766092 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:15.506354094 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:15.654002905 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:15.687002897 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:15.728965044 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:15.775284052 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:15.907793045 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:16.026990891 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:16.066241980 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:16.183507919 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:16.184873104 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:16.292804956 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:16.374407053 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:16.485133886 CET	6755	49710	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:16.543256998 CET	49710	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:21.806700945 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:21.873821020 CET	6755	49711	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:21.873982906 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:21.878340006 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:21.963352919 CET	6755	49711	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:21.963490009 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:22.044641018 CET	6755	49711	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:22.044774055 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:22.114300966 CET	6755	49711	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:22.114924908 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:22.238554001 CET	6755	49711	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:22.238626957 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:22.245296001 CET	49711	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:26.642004967 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:26.709608078 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:26.710897923 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:26.793888092 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:26.889045000 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:26.933026075 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:26.948385954 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.017307997 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:27.057997942 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.123756886 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:27.167295933 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.229013920 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.338202953 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:27.338304996 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.448055983 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:27.448220015 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.558373928 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.559461117 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:27.559613943 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:27.597491026 CET	6755	49712	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:27.597634077 CET	49712	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.200608015 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.272370100 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:32.272600889 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.273013115 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.376149893 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:32.378314972 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.499476910 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:32.502161980 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.574634075 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:32.601665974 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.721111059 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:32.722208023 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.833089113 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:32.834863901 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.942892075 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:32.958257914 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:32.967214108 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:33.011554003 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:33.024679899 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:33.024887085 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:33.148205996 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:33.150895119 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:33.257313013 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:33.257539988 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:33.324199915 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:33.370979071 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:33.445951939 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:33.496053934 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:33.516845942 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:33.638443947 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:33.976126909 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.094594002 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:34.094712019 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.207703114 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:34.426716089 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.536484003 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:34.536669016 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.649547100 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:34.649653912 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.756689072 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:34.761962891 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.872872114 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:34.873002052 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.965876102 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:34.993426085 CET	6755	49713	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:34.994029999 CET	49713	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:39.641999006 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:39.708296061 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:39.711970091 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:39.809989929 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:39.896991968 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:39.898426056 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.012584925 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.013905048 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.082784891 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.137176037 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.162611008 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.279732943 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.279850006 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.392775059 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.393502951 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.525839090 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.526652098 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.574747086 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.640873909 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.673952103 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.784559965 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.784787893 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.851480007 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.851641893 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:40.918040991 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:40.965342999 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:41.123461008 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:41.241616964 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:41.528105974 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:41.637600899 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:41.643363953 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:41.762265921 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:41.871037006 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:41.984893084 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:42.057707071 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:42.118535995 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:42.168567896 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:42.174756050 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:42.176086903 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:42.285729885 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:42.314737082 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:42.443799973 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:42.744452953 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:42.874084949 CET	6755	49714	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:43.211276054 CET	49714	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.115138054 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.184228897 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.184433937 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.184957027 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.275943995 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.276057005 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.384848118 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.385049105 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.454489946 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.454607010 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.572518110 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.572622061 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.683931112 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.684087992 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.794080973 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.816514015 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.856653929 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:48.923051119 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:48.949474096 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:49.064757109 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:49.066231966 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:49.140568972 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:49.183713913 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:49.253343105 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:49.294179916 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:49.464751005 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:49.583369017 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:49.920643091 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.038675070 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:50.139203072 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.158138990 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:50.216129065 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.259510994 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:50.261729002 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.575550079 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.718825102 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:50.719532013 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.743175983 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:50.785821915 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:50.787452936 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.857547998 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:50.894640923 CET	6755	49715	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:50.895787001 CET	49715	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:55.614569902 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:55.680946112 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:55.681189060 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:55.681494951 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:55.767990112 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:55.768115044 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:55.887984991 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:55.888075113 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:55.956959009 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:55.957086086 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.078357935 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.078483105 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.190058947 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.190924883 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.306586027 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.308238983 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.428945065 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.431755066 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.481323957 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.497471094 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.497705936 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.505069017 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.563560009 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.607347012 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.619537115 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.621633053 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.689497948 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.732320070 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.734424114 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.801469088 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:56.857368946 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:56.971532106 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:57.095252991 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:57.096345901 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:57.205317020 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:57.329653025 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:57.446489096 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:57.587043047 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:57.696868896 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:57.704523087 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:57.823240042 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:57.823335886 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:57.935964108 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:57.936093092 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:58.093398094 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:58.093532085 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:58.170172930 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:03:58.386590004 CET	6755	49716	213.152.161.85	192.168.2.3
Feb 4, 2023 04:03:58.386703968 CET	49716	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:02.679030895 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:02.745831966 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:02.746232986 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:02.879900932 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:02.966528893 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:02.966758013 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.087738991 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.087847948 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.157819986 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.160965919 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.278390884 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.304529905 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.422382116 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.422831059 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.531833887 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.532185078 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.642612934 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.664206982 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.717256069 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.774130106 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.785761118 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.826638937 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:03.891767025 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:03.891853094 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:04.006402969 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:04.197824001 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:04.265758038 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:04.265889883 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:04.332415104 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:04.332608938 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:04.450316906 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:04.450470924 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:04.557643890 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:04.561310053 CET	49717	6755	192.168.2.3	213.152.161.85
Feb 4, 2023 04:04:04.674375057 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:09.040026903 CET	6755	49717	213.152.161.85	192.168.2.3
Feb 4, 2023 04:04:09.092752934 CET	49717	6755	192.168.2.3	213.152.161.85

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2023 04:02:04.475367069 CET	49977	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:04.585163116 CET	53	49977	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:23.751883030 CET	57990	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:23.861915112 CET	53	57990	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:28.712673903 CET	52387	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:28.820549965 CET	53	52387	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:36.860551119 CET	56924	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:36.968187094 CET	53	56924	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:43.029052019 CET	60625	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:43.047238111 CET	53	60625	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:49.385057926 CET	49302	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:49.403115034 CET	53	49302	8.8.8.8	192.168.2.3
Feb 4, 2023 04:02:56.138262987 CET	53975	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:02:56.245413065 CET	53	53975	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:03.168420076 CET	51139	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:03.277697086 CET	53	51139	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:11.669126034 CET	52955	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:11.687891960 CET	53	52955	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:21.697429895 CET	60582	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:21.804183006 CET	53	60582	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:26.464158058 CET	57134	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:26.572953939 CET	53	57134	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:32.089087009 CET	62050	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:32.199491024 CET	53	62050	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:39.334427118 CET	56042	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:39.441394091 CET	53	56042	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:48.096045971 CET	59636	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:48.114181042 CET	53	59636	8.8.8.8	192.168.2.3
Feb 4, 2023 04:03:55.169281006 CET	55638	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:03:55.187141895 CET	53	55638	8.8.8.8	192.168.2.3
Feb 4, 2023 04:04:02.506531954 CET	57704	53	192.168.2.3	8.8.8.8
Feb 4, 2023 04:04:02.526576996 CET	53	57704	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 4, 2023 04:02:04.475367069 CET	192.168.2.3	8.8.8.8	0x38ce	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:23.751883030 CET	192.168.2.3	8.8.8.8	0xe29d	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:28.712673903 CET	192.168.2.3	8.8.8.8	0x6bc8	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:36.860551119 CET	192.168.2.3	8.8.8.8	0x1fc4	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:43.029052019 CET	192.168.2.3	8.8.8.8	0x9b90	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:49.385057926 CET	192.168.2.3	8.8.8.8	0xe464	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:56.138262987 CET	192.168.2.3	8.8.8.8	0x1c8c	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:03.168420076 CET	192.168.2.3	8.8.8.8	0xd889	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:11.669126034 CET	192.168.2.3	8.8.8.8	0x1f72	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:21.697429895 CET	192.168.2.3	8.8.8.8	0x3bb2	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:26.464158058 CET	192.168.2.3	8.8.8.8	0x4477	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:32.089087009 CET	192.168.2.3	8.8.8.8	0x6db4	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:39.334427118 CET	192.168.2.3	8.8.8.8	0xc4e7	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:48.096045971 CET	192.168.2.3	8.8.8.8	0x4382	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:55.169281006 CET	192.168.2.3	8.8.8.8	0x4de6	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:04:02.506531954 CET	192.168.2.3	8.8.8.8	0x627a	Standard query (0)	servicepoint.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 4, 2023 04:02:04.585163116 CET	8.8.8.8	192.168.2.3	0x38ce	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:23.861915112 CET	8.8.8.8	192.168.2.3	0xe29d	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:28.820549965 CET	8.8.8.8	192.168.2.3	0x6bc8	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:36.968187094 CET	8.8.8.8	192.168.2.3	0x1fc4	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:43.047238111 CET	8.8.8.8	192.168.2.3	0x9b90	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:49.403115034 CET	8.8.8.8	192.168.2.3	0xe464	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:02:56.245413065 CET	8.8.8.8	192.168.2.3	0x1c8c	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:03.277697086 CET	8.8.8.8	192.168.2.3	0xd889	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:11.687891960 CET	8.8.8.8	192.168.2.3	0x1f72	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:21.804183006 CET	8.8.8.8	192.168.2.3	0x3bb2	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:26.572953939 CET	8.8.8.8	192.168.2.3	0x4477	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:32.199491024 CET	8.8.8.8	192.168.2.3	0x6db4	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:39.441394091 CET	8.8.8.8	192.168.2.3	0xc4e7	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:48.114181042 CET	8.8.8.8	192.168.2.3	0x4382	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:03:55.187141895 CET	8.8.8.8	192.168.2.3	0x4de6	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false
Feb 4, 2023 04:04:02.526576996 CET	8.8.8.8	192.168.2.3	0x627a	No error (0)	servicepoint.duckdns.org	213.152.161.85	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:01:59
Start date:	04/02/2023
Path:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Imagebase:	0xe0000
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.251706419.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.251706419.0000000003904000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.251706419.00000000038A7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	04:02:01
Start date:	04/02/2023
Path:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Imagebase:	0xde0000
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.511625925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	04:02:11
Start date:	04/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x610000
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Arnim Rupp
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs Detection: 57%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	04:02:15
Start date:	04/02/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:
File size:	924672 bytes
MD5 hash:	8C4F47A96A1F9F58AB28A2353627C153
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	31.7%
Total number of Nodes:	60
Total number of Limit Nodes:	7

Executed Functions

Function 049515E9 Relevance: 7.9, Strings: 6, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Bm8^, xrefs: 049516CD
H3{, xrefs: 049519AA
QQ{, xrefs: 049518AF
Bm8^, xrefs: 0495167B
R+G, xrefs: 04951628
Bm8^, xrefs: 049519A3

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: Bm8^$Bm8^$Bm8^$QQ{$R+G$H3{
API String ID: 0-3406224847
Opcode ID: 8efbe2a15abd2a2d0afcfdee849c7ecb5f0e6ca1124937b5c1a030477c6cc46c
Instruction ID: 327d5bded847a4229c9adac2d390bac634ceec4395aa4163e3a6fa86012a06a3
Opcode Fuzzy Hash: 8efbe2a15abd2a2d0afcfdee849c7ecb5f0e6ca1124937b5c1a030477c6cc46c
Instruction Fuzzy Hash: 4DD12675F05246CFCB04CBB8D9966EDBBB2EB48200B248977E811EB634D634ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04952411 Relevance: 4.9, APIs: 1, Instructions: 3383
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 04952453

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39faebb631dac8973df3b054375fa3364bc4a716d118249f8d9d72ef590c6a89
Instruction ID: 0e045ab90eec9f9eecee6d5fcf593ba2292b6bf379566cbee290ab4dd66230ee
Opcode Fuzzy Hash: 39faebb631dac8973df3b054375fa3364bc4a716d118249f8d9d72ef590c6a89
Instruction Fuzzy Hash: 1C935074E156288FCB60DFB0DD5CA9DBBB5BF48312F1045DAA90AA7220DF345A82CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AFD7 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A8B057

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3fd86bfe284d4374f0b11fb937b960e7763f538d5ccbf288b3c62935d94e94aa
Instruction ID: 15625c14b6585e9d6729dd62e97ef81276f736ebc3abd197878bc4ac624086fb
Opcode Fuzzy Hash: 3fd86bfe284d4374f0b11fb937b960e7763f538d5ccbf288b3c62935d94e94aa
Instruction Fuzzy Hash: BC21AE75509784AFEB228F25DC44B52BFB4EF16310F0884DAE9858F163D375E918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B00E Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A8B057

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6fde782c69b6131335329f7ac462260c358e015e031f1939761263531cb7c925
Instruction ID: 654745ed692867c737feed8c383dd3b880109a69b1911206d2313447bf3a6077
Opcode Fuzzy Hash: 6fde782c69b6131335329f7ac462260c358e015e031f1939761263531cb7c925
Instruction Fuzzy Hash: E9115A726102449FDB20DF65D884B66FBF4EF18324F08C4AAED468B612D375E818DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0495084C Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

b\, xrefs: 0495088F

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: b\
API String ID: 0-1503766954
Opcode ID: 80fd133828d6bc00f87e7c5aed21f7a9a2d82a8267af2b558d285a5fb4b13c7b
Instruction ID: 19e4aa12295f23c0661c9a294d2d1d2ad580e23b5cf555eec513c5643c38e03b
Opcode Fuzzy Hash: 80fd133828d6bc00f87e7c5aed21f7a9a2d82a8267af2b558d285a5fb4b13c7b
Instruction Fuzzy Hash: 717128B2B142068BC749CF34CCD16EEB7B2EF91354B118879C405DF656E734A90B9B86

Uniqueness

Uniqueness Score: -1.00%

Function 049506A8 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

@, xrefs: 049506C9

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 15f857de6af75d1b6775f20d08d24127375c33d15010f75070f6e6b43b95c3a2
Instruction ID: b63bad29a48d61d85da4aa8c6ca7df5d10c8933b526c21c1794aca085970a699
Opcode Fuzzy Hash: 15f857de6af75d1b6775f20d08d24127375c33d15010f75070f6e6b43b95c3a2
Instruction Fuzzy Hash: 6D7169B2F142068FC744CF348CD16EEB7B2EB91254F108839C805DF6A6E635990B9B82

Uniqueness

Uniqueness Score: -1.00%

Function 04951C20 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977675bab56a6ad8260ef1d9e464a3ea292916732286ff9c7b165f8063f924f5
Instruction ID: 4e2a602f48873827d1da45213d409f589f04b4019ed48ef1881e1e96039d0f4d
Opcode Fuzzy Hash: 977675bab56a6ad8260ef1d9e464a3ea292916732286ff9c7b165f8063f924f5
Instruction Fuzzy Hash: A9D1A931F052158FCB14DBB8D9956AEBBB2EB58300F218476E806EB361DB34ED06CB55

Uniqueness

Uniqueness Score: -1.00%

Function 04950E00 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccd0b11b106e555bd58058588d91883373d54cb3c060c415ed1d5b32c8abf3f
Instruction ID: 908d795b7f2493f4555eeb86648546f55c719d8f574e3cdb01a88abdfa643949
Opcode Fuzzy Hash: cccd0b11b106e555bd58058588d91883373d54cb3c060c415ed1d5b32c8abf3f
Instruction Fuzzy Hash: 39D1E331F04255CBCB04DFB4E98569EBBB2BF85340B258476E846EB361DA35AC06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04950DD1 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bbb101fda43bb337bfec56c1d717d872875cc1c018b15d076fcf0ac61617c0
Instruction ID: 983b3c0d6effaada751f4e816a9cfeb88173a97f803428daaa4cde1cef4b9eec
Opcode Fuzzy Hash: 23bbb101fda43bb337bfec56c1d717d872875cc1c018b15d076fcf0ac61617c0
Instruction Fuzzy Hash: 4CB1C131F04255CBCB04DFB4D5556AEBBF2AF84340B258876E846EB271DA34AC05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04951C11 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a23c83a87987eb78b54d40807c870fc6f53bc11cc477f0049c369bfd79cfdfc
Instruction ID: fb17f21d765d44e735a23b3a18cc4c26d806fa4c20323e3e3da1d91b5436951c
Opcode Fuzzy Hash: 1a23c83a87987eb78b54d40807c870fc6f53bc11cc477f0049c369bfd79cfdfc
Instruction Fuzzy Hash: 87B15335F012059FCB14DBF8D995BAEBBB2AF58340F218466E806EB360DB34AC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 049502D4 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bfa579979bc570bcf34d1264ff7542bafac43d19517a1e3a008bad197ca160
Instruction ID: 1c6cde80fc5ace0107da43ff9148c02d1b9aba095cd33807400e62793437c32b
Opcode Fuzzy Hash: 09bfa579979bc570bcf34d1264ff7542bafac43d19517a1e3a008bad197ca160
Instruction Fuzzy Hash: B88128B2F142068FC754CF34CCD55DAB7B6EB51254B11883AC8059F656E731E90B8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0495023C Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71882f32e380319f7eeae025d13f2d6b21a3e36afe42aaab579445f47a9f0bbc
Instruction ID: e47838fee6dd74823544d5a930232df0f67e9d396f066db154a683783c711353
Opcode Fuzzy Hash: 71882f32e380319f7eeae025d13f2d6b21a3e36afe42aaab579445f47a9f0bbc
Instruction Fuzzy Hash: 74815BB2F142068FC754CF34CCD56D9B7B2EB95254B118839C809DFA56E731E90B8B81

Uniqueness

Uniqueness Score: -1.00%

Function 049502C2 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28db0683bd2acfa5ae7e1295f9199f8643fd858b30b20bdcc8ff95121f73b28
Instruction ID: 33b57cd3250e3288b8b334ff80d630f2ddfa93d583aadd90a2bb76c333a817b6
Opcode Fuzzy Hash: c28db0683bd2acfa5ae7e1295f9199f8643fd858b30b20bdcc8ff95121f73b28
Instruction Fuzzy Hash: 3A7149B2F142068FC744CF358CD16EEB7B2EB91254B11883AC805DF666E735E90B9B81

Uniqueness

Uniqueness Score: -1.00%

Function 0495015E Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b49a4ad692b3ac0b1d654558fc73457b34f332799ee7cf51ab4a4b98794bf3
Instruction ID: 1c08a9edc7cd733925d6d531a109a73420f5f897d9c6c269e15df1c6ee676abd
Opcode Fuzzy Hash: 20b49a4ad692b3ac0b1d654558fc73457b34f332799ee7cf51ab4a4b98794bf3
Instruction Fuzzy Hash: B5717CB2F142068FC744CF348CC16EEB7B2EB91254F158879C405DF6A6E735990B9B82

Uniqueness

Uniqueness Score: -1.00%

Function 0495080A Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e310b52f4969ff92194b6a972f58e3e457b508e3176b33b3fd240801fb3aa15
Instruction ID: 328c627054e8b0aa7e671ee8a734f0d4e20554f2b94102b1bd042b405e50d56f
Opcode Fuzzy Hash: 4e310b52f4969ff92194b6a972f58e3e457b508e3176b33b3fd240801fb3aa15
Instruction Fuzzy Hash: C17128B2F1420A8BC744CF39C8D16DEBBB2EB91254F118839C405DF6A6E735D90B9B85

Uniqueness

Uniqueness Score: -1.00%

Function 04950592 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bfbbaafced5e24a25620cfe30601cd8a0e1c889a47c0bf17d63771fd0250dd
Instruction ID: 67e7d57e0132992d4fc3ee1357be65d29f0d7779a03c3a6519cf3af20dc7c04f
Opcode Fuzzy Hash: 09bfbbaafced5e24a25620cfe30601cd8a0e1c889a47c0bf17d63771fd0250dd
Instruction Fuzzy Hash: 17716DB2F142068BC744CF358CD16DEBBB2EB91254F218839C805DF666E735D90B9B81

Uniqueness

Uniqueness Score: -1.00%

Function 0495018E Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c5d6bf7bc3ca7fbea20d8ccf36eaa15c516d036c9d875a1e041e59c067d3bc
Instruction ID: 38a9270069e60452fe7449d0b06c8f44111bcd4986701b948883da99343620d8
Opcode Fuzzy Hash: 19c5d6bf7bc3ca7fbea20d8ccf36eaa15c516d036c9d875a1e041e59c067d3bc
Instruction Fuzzy Hash: 537147B2F142068BC744CF348CD16EAB7B6EB91254F15887AC805DF666E734D90B8B82

Uniqueness

Uniqueness Score: -1.00%

Function 04950388 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605a68d9e51c46168a0fc5a3da47d371c5aac3385ba27e308a5d9c443d4c8993
Instruction ID: 281a4d1a773bc741a7c4ec327c70fc8752265cef23b3f454c448cdf6f463aa21
Opcode Fuzzy Hash: 605a68d9e51c46168a0fc5a3da47d371c5aac3385ba27e308a5d9c443d4c8993
Instruction Fuzzy Hash: A2717CB2F042468FC744CF348CD16DABBB2EB91254B15C87AC405DF666E731D90B9B82

Uniqueness

Uniqueness Score: -1.00%

Function 049503F0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665f8cb04059fb8e4f7ad6875fe500240e9d7d7f792c0aa5a845673621e1300e
Instruction ID: 9f318f266141606e92a9a9b128faaddd977f9395d6c2d39100ad6ecef8450584
Opcode Fuzzy Hash: 665f8cb04059fb8e4f7ad6875fe500240e9d7d7f792c0aa5a845673621e1300e
Instruction Fuzzy Hash: 147149B2F142068BC744CF34C8D16E9B7B2EB91254F10C839C805DF656E731E90B9B82

Uniqueness

Uniqueness Score: -1.00%

Function 04950231 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be119a769c0282b70ab773e08f481b1878baf84b76f97d388127b8c1f3b7db7
Instruction ID: 4b1e2c98709a2a5e5ae6292e4f69062ceb63bca80a4bb298f234aff42a2fb5bd
Opcode Fuzzy Hash: 4be119a769c0282b70ab773e08f481b1878baf84b76f97d388127b8c1f3b7db7
Instruction Fuzzy Hash: 807139B2F142068BC744CF35CCD16EAB7B2EB95254F218839C805DF656E731E90B9B86

Uniqueness

Uniqueness Score: -1.00%

Function 04950463 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac03b3f9e72eadfb928af75b54fd160becdb00cf1303408fabf8dd990709a17
Instruction ID: 596b04580abcb3907368ea425c4a33f40b833ce3d56e5d41779e71c64bd23d5d
Opcode Fuzzy Hash: 3ac03b3f9e72eadfb928af75b54fd160becdb00cf1303408fabf8dd990709a17
Instruction Fuzzy Hash: B1716BB2F142068BC744CF348CD56EEB7B2EB91254F118879C405DF696E735E90B8B81

Uniqueness

Uniqueness Score: -1.00%

Function 049507D5 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8e8855ccc752f85416baf256bcd2e1b28a7c4f7e6b923d9705adeee996155f
Instruction ID: 7e0c953be6e3ed6aa920e0df920b8e0292723366495e5d05e6276c9aa5ad2214
Opcode Fuzzy Hash: ab8e8855ccc752f85416baf256bcd2e1b28a7c4f7e6b923d9705adeee996155f
Instruction Fuzzy Hash: 1A716AB2F142068BC744CF358CD16EAB7B2EB91254B108839C405DFA66E731D90B8B82

Uniqueness

Uniqueness Score: -1.00%

Function 04950565 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20076275406f64399d2c09248b9934789db7aaabbc29974713d53d92fe698901
Instruction ID: 55099ea27c9d4b2ae63a499aae35151ac8a0dfa4d3642bdd5f347b858ac02eb7
Opcode Fuzzy Hash: 20076275406f64399d2c09248b9934789db7aaabbc29974713d53d92fe698901
Instruction Fuzzy Hash: 41716BB2F142068BC754CF348CD16EEB7B6EB91254F118839C805DF6A6E735D90B9B81

Uniqueness

Uniqueness Score: -1.00%

Function 049507A7 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5370eea483bc2de94fd77121567334590d7d0d937f76465fe1a104b5791b4abd
Instruction ID: ef1122b008a54df20882e65e02cec64c36dec67295bb910c526faf6cd57f8398
Opcode Fuzzy Hash: 5370eea483bc2de94fd77121567334590d7d0d937f76465fe1a104b5791b4abd
Instruction Fuzzy Hash: C3715BB2F142068BC744CF348CD16EEB7B6EB91254F11883AC405DF666E735D90B9B82

Uniqueness

Uniqueness Score: -1.00%

Function 049506E0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2836c59f2a3fdd7dc36bcf98681c905f9ef176d01e8c7c5b8bf98fbf5a812f6
Instruction ID: a0b6febfdbcd77f59552980e48f55699c4f0856de9a27740ea156d4e68b3ed5e
Opcode Fuzzy Hash: b2836c59f2a3fdd7dc36bcf98681c905f9ef176d01e8c7c5b8bf98fbf5a812f6
Instruction Fuzzy Hash: 527148B2F142064BC748CF358CD16EEB7B2EB91254F118839C405DF6A6E635A90B9B86

Uniqueness

Uniqueness Score: -1.00%

Function 04A173F6 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5add5a6400d967075bdc3b114bfb0c9c1f80b4de1b760874882b4b153379c75
Instruction ID: 341aae3252db7eeb4c584feaa2674cf909eb84627690e7f1cba6e8619ff2cd62
Opcode Fuzzy Hash: b5add5a6400d967075bdc3b114bfb0c9c1f80b4de1b760874882b4b153379c75
Instruction Fuzzy Hash: BE517C7AF091418FDB049B7898492FEBBB1EB59220F05A867D447DF271EE34E8068746

Uniqueness

Uniqueness Score: -1.00%

Function 04951005 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2efb3cfd5feba53b7a9d7b17923c452ba5f1e557c76e894858f8431d2e2cece
Instruction ID: 34d4dd297c0bea5b646618d2ff91039ada18fbbf4cbd3e44621f8730f0975f65
Opcode Fuzzy Hash: a2efb3cfd5feba53b7a9d7b17923c452ba5f1e557c76e894858f8431d2e2cece
Instruction Fuzzy Hash: C951C731F152518BCB44EBB4E94676EB7F7AB84244B258876EC02EB374EE34DD018B52

Uniqueness

Uniqueness Score: -1.00%

Function 04951052 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b6bdf8f75fa5ad083481e45ddf3fd0ae4ba1cc32edab9672aeec52d02c6d29
Instruction ID: 20fe492d3a24894e4e0267e61d0dde602d887842ae2ec90940a797e0027ff692
Opcode Fuzzy Hash: 63b6bdf8f75fa5ad083481e45ddf3fd0ae4ba1cc32edab9672aeec52d02c6d29
Instruction Fuzzy Hash: 1D51FA31F15250CBCB04EBB4D94676EB7F7AB84244B254836EC02EB374EA34DD019B52

Uniqueness

Uniqueness Score: -1.00%

Function 04950A58 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252146089.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4950000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e0d97390271f881a88f90e8615d7d8327a06ca6b79e47d096df1ed92343334
Instruction ID: 80d39905cc6e379d84c1ca8f4d0b90f00882fa9c1c368a518480b5cfccdfd5b1
Opcode Fuzzy Hash: 10e0d97390271f881a88f90e8615d7d8327a06ca6b79e47d096df1ed92343334
Instruction Fuzzy Hash: 874139327002058BC728DB79C95576BB7EBABD5384F21C83AD906DB7A4EB70EC058791

Uniqueness

Uniqueness Score: -1.00%

Function 049FA209 Relevance: 1.9, Instructions: 1884
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.252199271.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6121ff098b47244dca2fd0ceedc1fcb96cc20422eef9440239d4d7aa9f77ea24
Instruction ID: 4a89d4b4c4d56d0183e5d22dde95a782e8018f7b98544ac2add344c948037bc9
Opcode Fuzzy Hash: 6121ff098b47244dca2fd0ceedc1fcb96cc20422eef9440239d4d7aa9f77ea24
Instruction Fuzzy Hash: 9F236A75E012199FDF60DFB0DD58A9DBBB5BF49205F1085EAA90AA7220DF345E82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A8B6 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00A8A95D

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6c60acfe45f6c0fb4dacfd73259ca63bd432402103496fc3cf4443e7c014d27b
Instruction ID: 0d0366d532e45ec893f72bac508fadbff7798a38dce1641d7daf689f0b216dab
Opcode Fuzzy Hash: 6c60acfe45f6c0fb4dacfd73259ca63bd432402103496fc3cf4443e7c014d27b
Instruction Fuzzy Hash: 1931AF715097806FE712CB25CC84B56BFF8EF06314F09849AE9848B292D325E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B244 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,375632B6,00000000,00000000,00000000,00000000), ref: 00A8B2DE

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 79da3ff4a2f8a551f4497b1c10dec6671ed0d379b7b9cabac3a6f41edf7d76ae
Instruction ID: 16484649013e9b6088bffc61824d698ec0de9df53ba1766449d3c9d7e74d2dcf
Opcode Fuzzy Hash: 79da3ff4a2f8a551f4497b1c10dec6671ed0d379b7b9cabac3a6f41edf7d76ae
Instruction Fuzzy Hash: 9F31D2725097806FE7128F20DC45FA6BFB8EF56324F0884DAE9859F193D364A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B33D Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,375632B6,00000000,00000000,00000000,00000000), ref: 00A8B3CE

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 77ce66561d1528968782624eaefb5bd91fe19d1415e662bf74eebf5c2b7bbc99
Instruction ID: 06e0ffef87eea8cfcca4fc21c0b2a40f48a15671c9bbdb4e3a5d760ab02254b2
Opcode Fuzzy Hash: 77ce66561d1528968782624eaefb5bd91fe19d1415e662bf74eebf5c2b7bbc99
Instruction Fuzzy Hash: 712194715493806FE721CF21DC45FA6BFB8EF56210F0884AAE945DB152D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B434 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E2C,?,?), ref: 00A8B4DA

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 39f97261c5cb9c819231ba430b695e34ebcd7b4a4c5092a1bdc127c90fb33ab8
Instruction ID: 1f295e98c517ec704b0d174097cdf5554aa42e206d54a9b4d48209727b096cb8
Opcode Fuzzy Hash: 39f97261c5cb9c819231ba430b695e34ebcd7b4a4c5092a1bdc127c90fb33ab8
Instruction Fuzzy Hash: A521A0714093C06FD312CB65CC55F66BFB8EF87614F0984DBD8848B693D224A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A078 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00A8A10E

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 1cc3b7d5a07d8d3cb03896b61de100705ab291f18159e345bd682edaf3faeed5
Instruction ID: 41e2024e17105eca3714275d7322ca58ff6235fe67711c108baefc8818c6f0c9
Opcode Fuzzy Hash: 1cc3b7d5a07d8d3cb03896b61de100705ab291f18159e345bd682edaf3faeed5
Instruction Fuzzy Hash: AF21C17140D3C06FC3128B258C55B66BFB8EF87620F1985DBD9848F693D225A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A728 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A8A798

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5f0c2b9f1631708b9bb14b8a2a4e95f98a18d811c88dd96523e543a7929bc80b
Instruction ID: cec04d7f46b9c657825bd15ad7ddc6baa2b9d28d7c05c26271feef9dbd1e7b3b
Opcode Fuzzy Hash: 5f0c2b9f1631708b9bb14b8a2a4e95f98a18d811c88dd96523e543a7929bc80b
Instruction Fuzzy Hash: 0421FFB24093C05FEB128B25DC95692BFB4EF13324F0980DBDC85CF5A3D2659909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A8EA Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00A8A95D

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a4df46240ad1c55e036ffb5b79d689ca1d529299057b03a7efc9140db001b733
Instruction ID: d2d5a181341c67017e6f5a0a7180c4c42d418ddcf5d57a08646a7d94df74e887
Opcode Fuzzy Hash: a4df46240ad1c55e036ffb5b79d689ca1d529299057b03a7efc9140db001b733
Instruction Fuzzy Hash: BD21BE71608200AFE720DF25CD85BA6FBE8EF14324F0484AAED498B741D775E808CB76

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B0A4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A8B110

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8f1f89c7134b52ccf6f32c01abf49bde936f595098325ae7d15dd0d4660807d8
Instruction ID: cc68896540d39a061c2963a29329ff7cddaf57682df5711b1c4c6a192ff3b14f
Opcode Fuzzy Hash: 8f1f89c7134b52ccf6f32c01abf49bde936f595098325ae7d15dd0d4660807d8
Instruction Fuzzy Hash: F621C0725093C05FDB12CF25DC94A92BFB4AF57324F0984DAEC858F663D264A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B36A Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,375632B6,00000000,00000000,00000000,00000000), ref: 00A8B3CE

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: ef69d58581a86a97926a40698ff4a0406197659c2a47407d7d3c2a2a9e90ef11
Instruction ID: d8c3347683a439ad7df9ead8495ac0043e3ac27f78a252560c0b6ec9f09cea0f
Opcode Fuzzy Hash: ef69d58581a86a97926a40698ff4a0406197659c2a47407d7d3c2a2a9e90ef11
Instruction Fuzzy Hash: 8611B171600600AFEB20DF65DC85FA6B7E8EF15324F1484AAED49CB651D774E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A8ADCB Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A8AE3A

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d3685594ed1ab23c8ed47be8d00082f3b45dcfe5e23a260c148f4c09b06c458c
Instruction ID: f92db7fdcda30d04f491e7a46e0cc09a5a4128e1ea6e3a192e95d7c68c2ed19d
Opcode Fuzzy Hash: d3685594ed1ab23c8ed47be8d00082f3b45dcfe5e23a260c148f4c09b06c458c
Instruction Fuzzy Hash: 212154715093806FEB21CF25DC44B62BFB8EF56610F0884ABED45CB252D275E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B282 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,375632B6,00000000,00000000,00000000,00000000), ref: 00A8B2DE

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: e7d2b1a271c5efd1ad11d9bc878fd518a30eb8929bd0ee98cf3034fc7225b781
Instruction ID: eca4cf39f1aab0aab39ad882eac8106b2177e998dfd80d597a5f36467f5f41ac
Opcode Fuzzy Hash: e7d2b1a271c5efd1ad11d9bc878fd518a30eb8929bd0ee98cf3034fc7225b781
Instruction Fuzzy Hash: 59110472504200AFEB20DF65DC85BAAFBB8EF55324F0484AAED498F641D374E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A20C Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00A8A275

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: eaca6003d4af39a15b5ee0b30a7703ac86f0e54a19f3c314b002a6ce3b749f60
Instruction ID: 226116c1be54d0b9b285df097d3d471567d4b1bb7040075d6da464d3247e4c45
Opcode Fuzzy Hash: eaca6003d4af39a15b5ee0b30a7703ac86f0e54a19f3c314b002a6ce3b749f60
Instruction Fuzzy Hash: E01193755083809FDB228F25DC54BA2FFB4EF57314F0884DEED854B562D261A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A8ADF2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A8AE3A

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ef2b1bba44586a19ba577bfba887b4b9c4e52c5b594dd496d512da9597ef024f
Instruction ID: c41557d3628b1d0aa8339e83ba1285bd88bebfa1224557182a9423354726a680
Opcode Fuzzy Hash: ef2b1bba44586a19ba577bfba887b4b9c4e52c5b594dd496d512da9597ef024f
Instruction Fuzzy Hash: 661152716042409FEB20DF25D885756FBE8EF24724F0884ABDD45CB651D774D804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AC7C Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00A8ACD0

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 616504283519ed484278fccec9623c0966157861e03b7546c0e129206b888d73
Instruction ID: 0ba95e444deb5f0eb822f5b81751573aab01b9363cb5ab7a90729da4fa019e2b
Opcode Fuzzy Hash: 616504283519ed484278fccec9623c0966157861e03b7546c0e129206b888d73
Instruction Fuzzy Hash: 8E11E1715093C09FDB128F25DC88B52FFB4DF16224F0880EBED858B263D265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A3B8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A8A40C

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 644dae554f2d3d4aad3c2ea53e12c4d0ae0d8c3890bc89acae2972220dab36c3
Instruction ID: 494ae8a91ae8b759d3c21522c9eb02eaa3ae66a86ab25170af46032e4025ff06
Opcode Fuzzy Hash: 644dae554f2d3d4aad3c2ea53e12c4d0ae0d8c3890bc89acae2972220dab36c3
Instruction Fuzzy Hash: 401161754093C4AFDB228F15DC48B62FFB4DF56624F0880DBED858B253D265A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A0BE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00A8A10E

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 2651fbb73c0d284d7c8606513377faf0bbf9c02cf3a866195fa03dab8b385c6a
Instruction ID: 9bee836651cc411852598dd53508c2f9c7dbfa8370ebde8d08151f3fd67cf4a2
Opcode Fuzzy Hash: 2651fbb73c0d284d7c8606513377faf0bbf9c02cf3a866195fa03dab8b385c6a
Instruction Fuzzy Hash: 9201D471900200AFD710DF16DC85B76FBA8FB88A20F14816AED088BB41D335F519CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B48A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E2C,?,?), ref: 00A8B4DA

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 8d07d70d6bb8b03e30745775dfc58f30bec7c981aed6660e0ac66ab66add19ce
Instruction ID: 530e568b6214c33c702fe0e4929061156da864aa73913feb2127f24ac49a3de4
Opcode Fuzzy Hash: 8d07d70d6bb8b03e30745775dfc58f30bec7c981aed6660e0ac66ab66add19ce
Instruction Fuzzy Hash: 0E01B171900200ABD310DF16DC85B66FBA8EB88A20F14816AED088BB41D231B519CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A766 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A8A798

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7a450a440a4a908561024e744f1ec949a21ea00a39e2472249b4b3a7a03e8429
Instruction ID: ec7b55d70b0d305ccd596755aac0429d67e6d03305e56d80acee27392fc91d66
Opcode Fuzzy Hash: 7a450a440a4a908561024e744f1ec949a21ea00a39e2472249b4b3a7a03e8429
Instruction Fuzzy Hash: A001DF75A042408FEB10DF25D8857A6FBA4DF24324F18C0ABDC09CF606D278E808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B0DE Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A8B110

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: abda98c3b4634f2badd1997e57b3c81eaba6d6f2f66c2db5b6950e6fb6520a0a
Instruction ID: 915ceda05fade293cf23be4c74c267d6cdac247bac27f51ff3010ebd6252f645
Opcode Fuzzy Hash: abda98c3b4634f2badd1997e57b3c81eaba6d6f2f66c2db5b6950e6fb6520a0a
Instruction Fuzzy Hash: 39018F72A146408FDB10DF65D8897A6FBA4EF65324F08C0AADD4A8F742D775E408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A23A Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00A8A275

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 120ea6449f9a80db6a382bb7f723e6c7042785dbcbd749bba24228528c3c91a0
Instruction ID: f6ee5a273649edf0b65d74bb33883c09e5c11751757cb2ca850c8201da4855a5
Opcode Fuzzy Hash: 120ea6449f9a80db6a382bb7f723e6c7042785dbcbd749bba24228528c3c91a0
Instruction Fuzzy Hash: E401D4369042408FEB209F55D8857A6FBA0EF29324F08C09FDD454B721D376E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AC9E Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00A8ACD0

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: f27face41f50a77e3ec518b8da2642e6d41f6913efbce23e4ed82573296a14b6
Instruction ID: 988dbb9b13de2c33af842ef1676461e5248afecc9ed3ccc08e5fef79edae9ff3
Opcode Fuzzy Hash: f27face41f50a77e3ec518b8da2642e6d41f6913efbce23e4ed82573296a14b6
Instruction Fuzzy Hash: FA01F475A042408FEB109F15D889766FBA4EF25324F08C0ABDD058B752D375E848CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A3DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A8A40C

Memory Dump Source

Source File: 00000000.00000002.251179711.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8a000_HEUR-Backdoor.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e4123a374d73c59bc141debb41ea2fd25ff6f300ed4a03939cf985d3431323cd
Instruction ID: 994aa855ea00fc17c13bbeea0935e0a0938d9271ee94e0fcedfeaf9ee2fbd058
Opcode Fuzzy Hash: e4123a374d73c59bc141debb41ea2fd25ff6f300ed4a03939cf985d3431323cd
Instruction Fuzzy Hash: E7F0AF359042408FEB20DF05D889762FBA4EF25324F48C0ABDD494B716D3B9E408CF62

Uniqueness

Uniqueness Score: -1.00%

Function 04A17AE8 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45b9c47e6393230df29850eff19cf9fd07ff5a67b158beab147fec965c4c127
Instruction ID: 1c691a0a1bf6d13bb19fe6b7b02f03d30a7b3c87d5bbf5363a1c52e70db7f4dc
Opcode Fuzzy Hash: f45b9c47e6393230df29850eff19cf9fd07ff5a67b158beab147fec965c4c127
Instruction Fuzzy Hash: 53323E307406118FCB59BB74D569B6E37A3AF8934CB1048BDD5069B3A4EF7A9C42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04A187E0 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c5bb51594c0652fabc7aad897df12ccccd42f853bb92a2b5b76223183dc7ab
Instruction ID: ab7edcdc53764e55bab0c6b1f053b1ffc30d227941a4abc95b04b8a8680a8a81
Opcode Fuzzy Hash: 87c5bb51594c0652fabc7aad897df12ccccd42f853bb92a2b5b76223183dc7ab
Instruction Fuzzy Hash: 75129231B002289BDB54EB74C995BADB7B3AF84304F1481ADD509AB3A1DB38ED46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A17AD7 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00595ae191f2415c2ebe4a5cbd51d15387b4c0613750039f21f5964dccb28c8
Instruction ID: 5ea254f6529a96be085c8e6251b2e756d5aa156cd182e1494de862242b01ac6c
Opcode Fuzzy Hash: a00595ae191f2415c2ebe4a5cbd51d15387b4c0613750039f21f5964dccb28c8
Instruction Fuzzy Hash: 88D181347406009FDB58BB74D959B6E73A3AF89308F1048BDD5069B3A4EF79AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04A1822E Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427311a7a422c0ba53360a4af02f2da9e904729035aca7ec5e16c6c8848ade09
Instruction ID: ae3f787096c1765e3cc4e20bd2bf947a15d0f1d96a9cb4a935ba2d270de6e61b
Opcode Fuzzy Hash: 427311a7a422c0ba53360a4af02f2da9e904729035aca7ec5e16c6c8848ade09
Instruction Fuzzy Hash: F751FC307406108FCB59FB74D56AA6E33A2AF8931D71048BCD5068B7A4EF7ADC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04A18578 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5ace9ee9b7ef2e2d68f3b3d4e8b48c5dd7bae540f828cf8ed10ca05a8a9e1c
Instruction ID: 76e672accebe65810bee633e86bb1e26d366d04a0e81e8be1c72d270bf035091
Opcode Fuzzy Hash: 8c5ace9ee9b7ef2e2d68f3b3d4e8b48c5dd7bae540f828cf8ed10ca05a8a9e1c
Instruction Fuzzy Hash: 93413B71F001144BCB14AB7488256EDB7E3EFD92A4F25453DD426EB364EF399C014791

Uniqueness

Uniqueness Score: -1.00%

Function 04A186D0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450ddd3ee2db0028b646e5b350a055203db384f7c33f918b2f6b04c582a28a63
Instruction ID: d6f496849f2ed82c8cde3d2ae381b71b985a1944f524e710980cd3d0eda2f3c2
Opcode Fuzzy Hash: 450ddd3ee2db0028b646e5b350a055203db384f7c33f918b2f6b04c582a28a63
Instruction Fuzzy Hash: C831C1B07002109FEB00EB78D890B9A73E6EF99A84F144569E545EF790EA34FC149B50

Uniqueness

Uniqueness Score: -1.00%

Function 049F9BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252199271.00000000049F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49f0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8e7a27a1bd78f2e5b0f25f8aaf358e788f4902d63e662a9727080717b25be3
Instruction ID: 596529e364bb1c1b4db530b7738a2083f89e3d6f29597b73e0959c09117ab987
Opcode Fuzzy Hash: 0b8e7a27a1bd78f2e5b0f25f8aaf358e788f4902d63e662a9727080717b25be3
Instruction Fuzzy Hash: B23149B0B082924BDB15A7784D213AEBBA7ABC5654F144877E209DF351FF38EC058792

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A887 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26572f1a7ec177610ae922506b1c76da6067416c7df34bdda38b079920756e8e
Instruction ID: 661a8440fd015cc945207032dce3d1f014b66ea0731afa860d6e180a836df3f2
Opcode Fuzzy Hash: 26572f1a7ec177610ae922506b1c76da6067416c7df34bdda38b079920756e8e
Instruction Fuzzy Hash: 22314FB6609340AFD710CF06EC41A57FBE8EB99660F14C85EFD4997611D235E9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A670 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23029f4be504db9a4e7be580384d69f4018084c2fd5cc5c209ad8da08b530407
Instruction ID: 91030eec1b117db70ed7096a78ef650af0f394bf2610461447fc6943c7b1771a
Opcode Fuzzy Hash: 23029f4be504db9a4e7be580384d69f4018084c2fd5cc5c209ad8da08b530407
Instruction Fuzzy Hash: FF313BB550D3C05FD302CF259850956BFF4EB9A214F0988DFF8C8DB252D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AF44 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae4b2aa7737d50675e76bc0c988096574dd69e5024afad64b858d30ef226336
Instruction ID: 294f628be15d539862560d362ac455f31b355b0347a4d344297d2a7b2c0406e3
Opcode Fuzzy Hash: bae4b2aa7737d50675e76bc0c988096574dd69e5024afad64b858d30ef226336
Instruction Fuzzy Hash: E9217CB6508340AFD310CF06EC45A56FBE9EB89620F08C95FFD4997611D235E8088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AAFA Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a326e237285edcd2ddfd1c5be2809eafd0514c76d0b120f1219bb7203bdeef
Instruction ID: 6d24e801ebf926c1ea33e283c587bde908892d905e1e2079e6f15845350b3fba
Opcode Fuzzy Hash: 26a326e237285edcd2ddfd1c5be2809eafd0514c76d0b120f1219bb7203bdeef
Instruction Fuzzy Hash: 63217AB6909340AFD710CF05EC41A57FFE8EB89620F08C85FFD4997612D235A808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B04B Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd20927637b41b9f4631ee0d258f6aa93d2628bff4d873b5299e1bd9ce461dae
Instruction ID: 7a6321f8f99270adcb51a0856184e73239568135517331663f82cacef7360531
Opcode Fuzzy Hash: bd20927637b41b9f4631ee0d258f6aa93d2628bff4d873b5299e1bd9ce461dae
Instruction Fuzzy Hash: 7221B0B65483407FD7108F06AC41E57FFA8EB85670F18C89FFD499B611D236E8088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AD10 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e184ff3440bfd495cabb6c350c682e72bcae0bd852a4adf13bb9c6bf223975b4
Instruction ID: f97c7a472f0229b71a233cec83ddd6802bf95242717c6ef68ec31c7c6427f1d4
Opcode Fuzzy Hash: e184ff3440bfd495cabb6c350c682e72bcae0bd852a4adf13bb9c6bf223975b4
Instruction Fuzzy Hash: 8121C476509340BFD7108F46AC45957FFA8EF85630F18C99FFD499B612D236B4088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AC06 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fbbb79f241efcfa4eb5697f2926f4c805342d6fdcd3807c8ba51684468f7f7
Instruction ID: 13bd7a03a0237c7da3e597277e6611eb68bdb47f4c2bb9a3d941db4d51cb29b4
Opcode Fuzzy Hash: 69fbbb79f241efcfa4eb5697f2926f4c805342d6fdcd3807c8ba51684468f7f7
Instruction Fuzzy Hash: 1A21C4765093406FD7118F45AC41957FFE8EB85630F18C89FFD499B211D235B408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A8B2 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0826a0108b3f4f89141b0a0fa8e8937a9c229b3bcf9225ad6af12a750f7f4495
Instruction ID: 569fb8c4518a2a96a3aa74053132fa95d1b70fc3491494987ba9960a7c0aa71f
Opcode Fuzzy Hash: 0826a0108b3f4f89141b0a0fa8e8937a9c229b3bcf9225ad6af12a750f7f4495
Instruction Fuzzy Hash: A6211DB6644300AFD350CF06EC41A57FBE8EB88670F14C96EFD4997711D275E9188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AB22 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4c03ddee0d810c8eabe0ed2aee6103bd642fe7a4d3b0715944915129339f6f
Instruction ID: 87c060dd00fad0ff265334d13f4ccefc4b2d02875d7929e5ff42b7469ec1acbf
Opcode Fuzzy Hash: da4c03ddee0d810c8eabe0ed2aee6103bd642fe7a4d3b0715944915129339f6f
Instruction Fuzzy Hash: D6210CB6644300AFD610CF06EC41A57FBE8EB88660F14C96EFD4997711D275E9188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AF6E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8607982b97829669e1e5f45dbdffe4b254262be0d7c590c6e82e14adfba1e9ec
Instruction ID: 1d4c4bc566a4c6cdde8a6de13766fdbc40e025035acf3481dc52f17fe6cb6e7e
Opcode Fuzzy Hash: 8607982b97829669e1e5f45dbdffe4b254262be0d7c590c6e82e14adfba1e9ec
Instruction Fuzzy Hash: AB211DB6648300AFD310CF06EC41A57FBE9EB88670F14C96EFD4997711D275E9188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B076 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c36de0a384b724ead3aa1708e8a7e047ea65f18a86c1c76995a2f1102effe3
Instruction ID: 5a3435bbce5aa15a24956d92dc92319dcdceefcc4413c1d501338aebf01e01fb
Opcode Fuzzy Hash: 71c36de0a384b724ead3aa1708e8a7e047ea65f18a86c1c76995a2f1102effe3
Instruction Fuzzy Hash: ED119376644200BFD6108F06EC41D67FBE9EB88670F14C86EFD0957711D276F4188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AC2E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625032fad3ee8dd0d9976c64cf5f5a4077c741fcae247980b3c1082e19d856fb
Instruction ID: 8b76d86235fcfbe372ac42a941cd2d8e9e0ce16b68992af89b6534b862b9348f
Opcode Fuzzy Hash: 625032fad3ee8dd0d9976c64cf5f5a4077c741fcae247980b3c1082e19d856fb
Instruction Fuzzy Hash: F5119376644204BFD6108F06EC41D67FBE9EB88670F14C86EFD0957711D276F8188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AD3A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c230b0cb7d9137aacc2e8f6cd5664e02e2f3bf89729e8a26dd3091bbd907145e
Instruction ID: b33da60441672a5d7c577f063e68c70358287dc79a81f89891d13ecbd0d33459
Opcode Fuzzy Hash: c230b0cb7d9137aacc2e8f6cd5664e02e2f3bf89729e8a26dd3091bbd907145e
Instruction Fuzzy Hash: A7119376644200BFD6108F06EC41D67FBE9EB88670F14C86EFD095B711D276F8148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AE98 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763096a3b06045d5b9c644469c5221bbb5130827c43454435415d5ac3b1e8efd
Instruction ID: 57e3ece556d4415371172d82dcd4b0ab38e3ae1541b709686143d5b929268fa4
Opcode Fuzzy Hash: 763096a3b06045d5b9c644469c5221bbb5130827c43454435415d5ac3b1e8efd
Instruction Fuzzy Hash: CB2151B550D3806FD302CF15DC51956BFF5EF96624F0988DEF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A6B1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5390379d0e284233db1135e4c57890655c161ddaabdf4a1183fc11a1ff5d4b95
Instruction ID: 5d5edf8e2ecd6fc3b3552fbb9cd909e2d4a9dfe529b0a628ee0d038098464fa0
Opcode Fuzzy Hash: 5390379d0e284233db1135e4c57890655c161ddaabdf4a1183fc11a1ff5d4b95
Instruction Fuzzy Hash: 4511D7B5908301AFD350CF19D881A5BFBE4FB98664F04896EFC9897311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04A18502 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6823a8e95dbb6433c9febec1947f4153e17edd737285738b56c9b57cedf34e43
Instruction ID: d2ee303a5f49a3a94e4a3f0d1fa50a728f2a27965f041f51e00d6790e4ed6bf6
Opcode Fuzzy Hash: 6823a8e95dbb6433c9febec1947f4153e17edd737285738b56c9b57cedf34e43
Instruction Fuzzy Hash: 6301AD72E091548FCB50FBB8A8815EEBBF0EF48268B0005BAD51AE7211E7346915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 04A17A08 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252276790.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a10000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d3215bfabef7ad4a911e7ee37b6ef443d9576771df6adb405f7cbd5778f7da
Instruction ID: 71029f0cd94c72dbfce5878d6dcf360d0ef218aaaf6758cb7214b8e650528bd9
Opcode Fuzzy Hash: 93d3215bfabef7ad4a911e7ee37b6ef443d9576771df6adb405f7cbd5778f7da
Instruction Fuzzy Hash: 13019E34604244CFD784FB78D2586A97BF2FF9460CF00886DAA8587359EE35DC09AB03

Uniqueness

Uniqueness Score: -1.00%

Function 023B05F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251412158.00000000023B0000.00000040.00000020.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23b0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b90bcb5cb7a028665ac43ea3674d67da27d88e04e687a11c021d871e90caa0
Instruction ID: 38e4c17a14c023f6d3660dab9658a92bab7e3252dec7af21f0a80abc592c0874
Opcode Fuzzy Hash: 54b90bcb5cb7a028665ac43ea3674d67da27d88e04e687a11c021d871e90caa0
Instruction Fuzzy Hash: 08E09276A046444B9750CF0BEC81452F7D8EB88630718C07FDC0D8BB01E636F508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A83F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbfd9c94eb0e7df513775d81c727ccda3792c96f2425ab439429a6c752da322
Instruction ID: 23637b368baf3b9389f07103a3a042d224b942006b72d47ffc6b88737ec8a8c8
Opcode Fuzzy Hash: cbbfd9c94eb0e7df513775d81c727ccda3792c96f2425ab439429a6c752da322
Instruction Fuzzy Hash: E7E0D872A4020067D2508F06AC86F52F798EB54A74F04C55BED081B701D172F5048EE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B007 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fa7390f812533291e663b53f11c1a57fb3efe0d46cb01e41392d7a3fad437b
Instruction ID: 66b702e368be151445f8b8957d633acc4cc83b207daab7d1030eec5ad5d4f2e3
Opcode Fuzzy Hash: 37fa7390f812533291e663b53f11c1a57fb3efe0d46cb01e41392d7a3fad437b
Instruction Fuzzy Hash: 74E02071A4030067D2209F06EC86B52FB9CEB54970F04C46BED081B741D176F5088EF5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AAAF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6454724dbd4cf11b6fe0df88fb61f3af4d764685bae62af1eeba01c2b0ca82
Instruction ID: 44b7279e3b274eb9d360be0d9d48cf069962c69af7733f87c4b6b70718b34848
Opcode Fuzzy Hash: 8e6454724dbd4cf11b6fe0df88fb61f3af4d764685bae62af1eeba01c2b0ca82
Instruction Fuzzy Hash: 83E0D872A40200A7D2109F06AC86F63FB98EB54A70F04C45BED081B702E172F5048EF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9ABBF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e50c45edfa9d84ff63b5c860c833084500b677f4714f69f5dc7d79bd6e763da
Instruction ID: 1e8f2a4f94200fd9498dbfa8edc962561b3a585586669454116ddb4d584b928c
Opcode Fuzzy Hash: 8e50c45edfa9d84ff63b5c860c833084500b677f4714f69f5dc7d79bd6e763da
Instruction Fuzzy Hash: CFE02072A4130467D2108F06EC86B53F79CEB54D70F04C45BED081B701D176F5088EE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9ACCB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c3283f64b86aaeb590e95fb594735f8d381ad120bb5ec233fe3686d72c7a16
Instruction ID: 1d936a1ac5c44213abbf7f5f4961202b3f4df9e600d7a6ca02f561a113b0d757
Opcode Fuzzy Hash: 48c3283f64b86aaeb590e95fb594735f8d381ad120bb5ec233fe3686d72c7a16
Instruction Fuzzy Hash: 49E02071A4130067D2108F06EC86B53F79CEB54974F04C49BED081B741D176F5048EE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AEFB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90946f263462bac229db897b02c883ef4a4e3de951976ffdb26b245e08e3d353
Instruction ID: a1a737cce4e86fa5abf71d30960a8b29d1547032e2b66d9a99f03b20cfba3c2a
Opcode Fuzzy Hash: 90946f263462bac229db897b02c883ef4a4e3de951976ffdb26b245e08e3d353
Instruction Fuzzy Hash: DBE0D872A40200A7D2209F06AC86F53FB98EB54A70F04C45BED081B702D1B6F5048EF5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A713 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251219372.0000000000A9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9a000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4544dcb2ef129e21df7fe2ff42df636da2514d8001f691e71524ef1d01b5586
Instruction ID: 4e58a7746cbf0f1be051d39affca91a9a8a0166b58006d4d4d3136f10e116797
Opcode Fuzzy Hash: b4544dcb2ef129e21df7fe2ff42df636da2514d8001f691e71524ef1d01b5586
Instruction Fuzzy Hash: DBE0D872A4030067D2109F06AC86F63F798EB54A70F04C45BED091B742D1B2F5148EF5

Uniqueness

Uniqueness Score: -1.00%

Function 00A823F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251163300.0000000000A82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a82000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d95913abe1d974bca42784b8e391c67e2d228018674f47fce2ffa35b4e29fa0
Instruction ID: 454235e3b54c6d9e0d14e2e8c3758e853ef800fb14790c06ab9d068633c3f3bd
Opcode Fuzzy Hash: 6d95913abe1d974bca42784b8e391c67e2d228018674f47fce2ffa35b4e29fa0
Instruction Fuzzy Hash: 94D05E79295AC18FD3269B1CC1A8BA53B94AB61B04F4644FAE8808B767C368D981D310

Uniqueness

Uniqueness Score: -1.00%

Function 00A823BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251163300.0000000000A82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A82000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a82000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba36b9c336bb07859cf848a1d31a55560733b5257c520270e1099f73fbec5b3
Instruction ID: a6a312e5405c768b928b00fc6aef856ee096acc8bba0034d1a34b17c39d2487d
Opcode Fuzzy Hash: 8ba36b9c336bb07859cf848a1d31a55560733b5257c520270e1099f73fbec5b3
Instruction Fuzzy Hash: 4AD05E342042854BDB16EB0CC1A4F6937D4EB51B04F0644E8BC008FB62C3A8DD81C700

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exePID: 5368, Parent PID: 4864COMMON

Executed Functions

Function 033AAE38 Relevance: 2.2, Strings: 1, Instructions: 955COMMON

Download Yara Rule

Strings

r, xrefs: 033AB95C

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 8e88efff3d17c8b3d629667b0386e8db40183afba2e9ed50f992756c0a9fc911
Instruction ID: 9cfdebd7c6eeee891185097d9171566f6920fa9cae5b09cd4b53518078f8c338
Opcode Fuzzy Hash: 8e88efff3d17c8b3d629667b0386e8db40183afba2e9ed50f992756c0a9fc911
Instruction Fuzzy Hash: 48924775A00A05CFCB14CF68C984AAEFBB2FF88310F158669D45AAB751D734E985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 033A3850 Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526c1b9dde8d04b7f6375c1b52d5731bf37e21b4246ce85686c442af065c749f
Instruction ID: d5fafe71cd014cb2051fd537a47d886f8a2dd8a8a4d0c3141bb223319293cb76
Opcode Fuzzy Hash: 526c1b9dde8d04b7f6375c1b52d5731bf37e21b4246ce85686c442af065c749f
Instruction Fuzzy Hash: DA52C039A04616CFCB04CF5CC8C49AEBBB6FF85324B1985AAD4099F652C775EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033A23A0 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50859748ee6af81e2a705b6139517a63745b30cc10c0112e851797b27f30ce5
Instruction ID: 580ed7f7909caf4497e974b54366bc7ef1426709dc10781f74e23647001e0008
Opcode Fuzzy Hash: a50859748ee6af81e2a705b6139517a63745b30cc10c0112e851797b27f30ce5
Instruction Fuzzy Hash: 9712AB30E04A25CFDB24CF29C8846AEB7F6FB84315F58896DD406EB6A5DB74C885CB40

Uniqueness

Uniqueness Score: -1.00%

Function 033A8798 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff653a8c3c0a50051900ece60015c4f6855a4c241fbfb7d8bf07d4a46e34eec1
Instruction ID: 542e4385c1f18b90df7b0068d2201858d018057a12b9a9e48b821eb7dbb571d2
Opcode Fuzzy Hash: ff653a8c3c0a50051900ece60015c4f6855a4c241fbfb7d8bf07d4a46e34eec1
Instruction Fuzzy Hash: 8912CB30E15A15CFCB24CF68C8846AEBFFAFF84315F588569E0169F690DB798881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 033A2FA8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fb6463a6e6f62e6272a8e035f7f7bc86555b52e91a5be6627bcd22a45825fb
Instruction ID: 3e65632553afcef91cc5aaa4577bd59e6e193d239bfa4604dc289b8c26f9cfb8
Opcode Fuzzy Hash: 18fb6463a6e6f62e6272a8e035f7f7bc86555b52e91a5be6627bcd22a45825fb
Instruction Fuzzy Hash: 2B819F3AF015159BD714DBA8D884AAEB7F7EFC8324F298068E406DB765DF349C018B90

Uniqueness

Uniqueness Score: -1.00%

Function 033A2D58 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 033A2E76

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 74aaa9542155ac02aca8b82f8e719b51ae0dff857453b0f6f7e6147556397160
Instruction ID: cb32b124edf01961a441a860489d11841ad9c36f13e87ab3b533e35f7330ff4d
Opcode Fuzzy Hash: 74aaa9542155ac02aca8b82f8e719b51ae0dff857453b0f6f7e6147556397160
Instruction Fuzzy Hash: 7D41A230F04A158BCB14CF6DC8C09BFB7A6EBC8215B29CC7AC516DBA25D735D8828781

Uniqueness

Uniqueness Score: -1.00%

Function 033A0BC0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

hX`l, xrefs: 033A0C78

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: hX`l
API String ID: 0-2625648940
Opcode ID: eaef30f0a5bf2b40a783fc28a5507d9a780af524392f654245997a98151eface
Instruction ID: a231c750833af72596872711c08d1ad2809ea0a9664d1bd1c29172ff76d7b1f9
Opcode Fuzzy Hash: eaef30f0a5bf2b40a783fc28a5507d9a780af524392f654245997a98151eface
Instruction Fuzzy Hash: A341A732B045148FC719DF68C4546AEB7EBEF86310F15806AE906EF761CF769C068792

Uniqueness

Uniqueness Score: -1.00%

Function 033A21F8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 033A230F

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: b88e5ff27929edfb3020f1ae3bb571dd7b1f244436796573175a677c9ba5e9ac
Instruction ID: 2df62b7d298f4a30123a784f63aec8daf4421f9f7edccc37db97598bf6f53589
Opcode Fuzzy Hash: b88e5ff27929edfb3020f1ae3bb571dd7b1f244436796573175a677c9ba5e9ac
Instruction Fuzzy Hash: B2412C30E08609DFCB94DFA9C4856AFBBB5FB45304F1488AAC402E7AA4D7348A45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 033A85F0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 033A8707

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 088129c319fc6b89045d3a344c5851158facc4cb7584c30d1a6394dd6f049d96
Instruction ID: 015f9a1315cd92a4b2632215dc8c30b6e771b24e61b35fbf007e1c1dd60f8ebc
Opcode Fuzzy Hash: 088129c319fc6b89045d3a344c5851158facc4cb7584c30d1a6394dd6f049d96
Instruction Fuzzy Hash: 3D415D30E05609CFDB18DFA8C585AAEBFF5FF44305F14846AD502AB660DB754A41CB62

Uniqueness

Uniqueness Score: -1.00%

Function 033A50E0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

d@_l, xrefs: 033A51BC

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: d@_l
API String ID: 0-2629656160
Opcode ID: 7907f528ea584efda19eba76bfa7a174a1853ae23cfdfb0d4f56264493dd7fd3
Instruction ID: 5fbcda786fd26b4d53e6da77cc4e2150d11cbbfb83a157f14ac6a66e94314867
Opcode Fuzzy Hash: 7907f528ea584efda19eba76bfa7a174a1853ae23cfdfb0d4f56264493dd7fd3
Instruction Fuzzy Hash: F9219C31E007098FEF04DFA9C4546AEBBFAEF99304F118429C40AAF750EB74A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 033A50D0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

d@_l, xrefs: 033A51BC

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID: d@_l
API String ID: 0-2629656160
Opcode ID: fea63d884367afc39f7fa2f2d6859a177af025c207b9b596676b082e06ed7314
Instruction ID: f11518bbd814d253856ccfb55ba0f93ff68660e1b2f7e11ca77b0f3aafd0b13c
Opcode Fuzzy Hash: fea63d884367afc39f7fa2f2d6859a177af025c207b9b596676b082e06ed7314
Instruction Fuzzy Hash: 56114671D007099FEF04CFA8C8546EEBBB6EF89310F518829C409AF255E7746A4ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 033AF140 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe2f42d03ecc4a58d839ed7aa88e964a0c67584cc5bb1e6cd56fe963842c9ce
Instruction ID: 56c09766260c8fff3ba18e02cb75e80590bf8563090a63fc1d491f55f2e02051
Opcode Fuzzy Hash: abe2f42d03ecc4a58d839ed7aa88e964a0c67584cc5bb1e6cd56fe963842c9ce
Instruction Fuzzy Hash: A9124E39A00610CFC714DF68D488AA977FAEF45356F1580A9E8469F7B1CB79EC44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 033A12A0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252acea71609512db481171123d1c229355653b8ef08ed4c812dd45cd9b54fe2
Instruction ID: 236bd28883b54b198b7689fa6c37f61041a124d34405ec5b14ffa8a3e18534a4
Opcode Fuzzy Hash: 252acea71609512db481171123d1c229355653b8ef08ed4c812dd45cd9b54fe2
Instruction Fuzzy Hash: CA220234A00A45CFC724DF28C480AAAB7F6FF48344F54C6A9D85A9BB65DB39AC45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 033AA910 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1da7d6f5a39b4f833c2dc02a533a296f765e8aa1ef5d68fb94a0d34afa28d1
Instruction ID: 2c32b00faee57303005d287e246d631c89255a79abf49ef68773a450d280b927
Opcode Fuzzy Hash: 1f1da7d6f5a39b4f833c2dc02a533a296f765e8aa1ef5d68fb94a0d34afa28d1
Instruction Fuzzy Hash: F8910975700A568FC704EB79C454AAEB7A7FFE4204F10856DD2069BBA4CFB09C4A87D2

Uniqueness

Uniqueness Score: -1.00%

Function 033A80E0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aacbfa0120dc7b868ec39f1cc446672cbbbe5933dd8431d86705f854e3c26d7
Instruction ID: 55247ab30d652076e7edd67694a50b8a312c9408e3b33e0f997f575d73daf165
Opcode Fuzzy Hash: 9aacbfa0120dc7b868ec39f1cc446672cbbbe5933dd8431d86705f854e3c26d7
Instruction Fuzzy Hash: 57A13A75E00619CFCB14CFACC9846ADFBF1FF48310F24856AD45AAB690D731A946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033AE698 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c59ad927769a56b920300dfbe65bf16d5269c33691f5023f5b6cd18e58e95a
Instruction ID: b2865af4d85879e8035363feb7e4b6d7d0e311e45429cbdbdb89c5794c63bb2d
Opcode Fuzzy Hash: 36c59ad927769a56b920300dfbe65bf16d5269c33691f5023f5b6cd18e58e95a
Instruction Fuzzy Hash: 2591E231E04A15DFDB24CFACC8C0AAEB7BAEF84311F18856AE405AB691D735EC41C791

Uniqueness

Uniqueness Score: -1.00%

Function 033A5FB0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351e114a6e98cb6372643c5e9845254478113486c4ba6bfd115c93e766c24eab
Instruction ID: 51f1973ed30448493de02ccc859aefaff937c7345d6ad8167808dd5ba187e94f
Opcode Fuzzy Hash: 351e114a6e98cb6372643c5e9845254478113486c4ba6bfd115c93e766c24eab
Instruction Fuzzy Hash: 21815031A00A19CFCF15CF14C891ADEB7B6EF85304F05C595D90AAF252DB75A98ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 033A02E8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb97e86c8aa208f0c8d46ba2cbe821f5a2b2d83b8dee8b10551c441b2d6f529c
Instruction ID: 655ba659a79f3a57461d1b9ccc75b498bd7e40527d1bd651c8012c8f33a5af52
Opcode Fuzzy Hash: cb97e86c8aa208f0c8d46ba2cbe821f5a2b2d83b8dee8b10551c441b2d6f529c
Instruction Fuzzy Hash: 2B71FF70B046018FCB08DB68C4A06AE77E7EFC9214F1984AED506EB7A1DF759C45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 033A5FA1 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ffad898308f5e196d4da11465235001e54431a6d63f02c4b3ac29b99bfbf23
Instruction ID: 074d79d0025dee57fcec409724479cbe3d44a054f5deee926d3a556166e227ca
Opcode Fuzzy Hash: 04ffad898308f5e196d4da11465235001e54431a6d63f02c4b3ac29b99bfbf23
Instruction Fuzzy Hash: 62515031904A19CFDF15CF14C891ADEB7B6EF85304F05C5A9D80AAF251DB75AA8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 033A4DB8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ca2124319b2c440dae3cd0b5499af079f86c7e6a02d97aebaed0e7e112fd1c
Instruction ID: a63a4416caeae043296117b87ecf06bb465ce3bc3cc6ed67f2d0aa400d4acee8
Opcode Fuzzy Hash: 79ca2124319b2c440dae3cd0b5499af079f86c7e6a02d97aebaed0e7e112fd1c
Instruction Fuzzy Hash: 416132316056068FCB05DB79E4C09BE77EAEBC4304714C56AD0028FBA6DBB8AC06C791

Uniqueness

Uniqueness Score: -1.00%

Function 033AEAC0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc65bffed8d8dc7437a31b6b4250051fbf03aacbba247422471de83ab5f61d0
Instruction ID: b692416fe9c1cbf30a9bb258dc703998d6e079606f4bb30116286253ac8f0418
Opcode Fuzzy Hash: 1bc65bffed8d8dc7437a31b6b4250051fbf03aacbba247422471de83ab5f61d0
Instruction Fuzzy Hash: 43713934A05A05CFDB14DF69C4D8BAABBF5FF48324F188459D416A7B60CB30E885CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033ADF30 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480176ebc1d1b8fd5654c6af092c88c998c1a8b55c9ade49ec071a0f2587eb44
Instruction ID: 4386348799c69bdaf2967c80d11c331c5d3f06e2dbf3d58495bdff020908b990
Opcode Fuzzy Hash: 480176ebc1d1b8fd5654c6af092c88c998c1a8b55c9ade49ec071a0f2587eb44
Instruction Fuzzy Hash: 3051C431A04619DFCF04DFA4C8908AEF7BBFF84310B058165E906AF625DB35AC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033A7490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e332626337e392e0436dcde6a6fd183630e19f623b69bbf866b42849faa1fb4
Instruction ID: 1d0badd8c33c7308d98dcecf1d9546741bd0fafcfcc0d02c88c8613603a4f359
Opcode Fuzzy Hash: 9e332626337e392e0436dcde6a6fd183630e19f623b69bbf866b42849faa1fb4
Instruction Fuzzy Hash: E7311931900A1ACFDF11CF54C8946DEB7B6EF85305F5184A4D909BB215DB70AA8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 033A70E0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de2f9c0e55ce5b1c06690fb151c8f07f6641e4b5dfde9eca61588ee14139f68
Instruction ID: 35e15489c864f3848c61477e119ecc06eaeb450a3b101686af47e1b1074e9c74
Opcode Fuzzy Hash: 6de2f9c0e55ce5b1c06690fb151c8f07f6641e4b5dfde9eca61588ee14139f68
Instruction Fuzzy Hash: 33517C35F006058BCB18DBB9C4906AEB3F7EF98314B158569C40AAF791DF34AC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033AF130 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee58c625f1e3bc77c6879bf440781bc2bc0099ef1482d6596fa7964f88962b3
Instruction ID: 17db492d238c62220bf6bfcdac4e7327e58e8f3aa6c49c550ec1e79b37f1c2be
Opcode Fuzzy Hash: 1ee58c625f1e3bc77c6879bf440781bc2bc0099ef1482d6596fa7964f88962b3
Instruction Fuzzy Hash: CF512C38A046049FC714DB24D898FA97BFAEF49306F1580A9E80A9F7A1CB75AC44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 033AFCFA Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592fb9e91b89c12061f95d08ff67808efa8f7f1471c73513f73fa41a495d6c0b
Instruction ID: 9fbc3e9bb3088dd60577eb7127ffe5edd2a1c4d8bf2091fb6f73ffec690c3d3b
Opcode Fuzzy Hash: 592fb9e91b89c12061f95d08ff67808efa8f7f1471c73513f73fa41a495d6c0b
Instruction Fuzzy Hash: 63415830B056609FCB12DB789C51AEEBFB6EF96150F1581ABE004DF2A5DB348D0587A2

Uniqueness

Uniqueness Score: -1.00%

Function 033A7A21 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5efa7533c8ee521b3d23526eea508cf2c204125ca32e83564db9ee254e5a2ff
Instruction ID: ffc996cbb5d44cdbfc268739cc6f861427086b4d9e999960ba8958079645318b
Opcode Fuzzy Hash: d5efa7533c8ee521b3d23526eea508cf2c204125ca32e83564db9ee254e5a2ff
Instruction Fuzzy Hash: 87518B35A00705CFCB14DBB4C4D8AACB7F2FF94204F2082A9D80A9B795DB349D45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 033A09A0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd792106c617b3b863a8e1b3273179e13c3c80a6610bbca0bda9e8efa43b351
Instruction ID: 1502fa2616733a79e9d59a5152efed9a7e15ec555a01a0bf0143e18f3caca43c
Opcode Fuzzy Hash: edd792106c617b3b863a8e1b3273179e13c3c80a6610bbca0bda9e8efa43b351
Instruction Fuzzy Hash: B841C335B006019FCB15DBA8D894AAEB7F6FF84314F258069E1069B771CB74DC06CB81

Uniqueness

Uniqueness Score: -1.00%

Function 033A2BF8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ae873e24bda27128253f6b09bd2b8ee8a12327d75d72c529e80b6fdeafa1ab
Instruction ID: 99af43b0a6065516ec224899f56b2fc35392ce7e54509505a8b99241434e1c99
Opcode Fuzzy Hash: 14ae873e24bda27128253f6b09bd2b8ee8a12327d75d72c529e80b6fdeafa1ab
Instruction Fuzzy Hash: 6841F83050DB959FC315C72888C49BEBBF9EF8221470989ABD456CFAA3C36A9C46C751

Uniqueness

Uniqueness Score: -1.00%

Function 033AEAB0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee813c1f20dfc5c86f0bc018dc2da85d82609fddc6b3d98f6977d80905be7fe
Instruction ID: 26310f0a1de7d8811c325b4fa0306c158613dca074be7ef081970fa0fb41980f
Opcode Fuzzy Hash: 7ee813c1f20dfc5c86f0bc018dc2da85d82609fddc6b3d98f6977d80905be7fe
Instruction Fuzzy Hash: 5C517F34A05A04CFDB24CF6DC4C8BAABBF5FF48314F188959D456A7A61C730E885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 033A6C62 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a0042ee700eb9da81902443e15a715868014c80c907a47c842e09f60f6de0d
Instruction ID: f5ff2ba24d1e0c236ce4dd04ebcd7d1ee8dfd749d5505bc8ba9f99ebf5b732c9
Opcode Fuzzy Hash: 49a0042ee700eb9da81902443e15a715868014c80c907a47c842e09f60f6de0d
Instruction Fuzzy Hash: 4E41C135B02300CFC705EF69D0901AE7BA6EB8A6213494079D906EF791DB7A9C41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033A0682 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ab628a538460f3901b9e0930291193c541568aeb48df4cd4496a6400ad8ca7
Instruction ID: 182ca9796822e5ff2eae4ec3ddb1543843de745f01293592766e597a5e640a76
Opcode Fuzzy Hash: a7ab628a538460f3901b9e0930291193c541568aeb48df4cd4496a6400ad8ca7
Instruction Fuzzy Hash: E24160316002018BC728BB34E8AD5AD3BA6EF90657725857DF502CB6B4DF794C458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 033A1458 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ecfe966dc1e84e76bc75ba48d334a9a81fbff2259f46d2e9c2cad6a9c40cc8
Instruction ID: 8a82d5e2e6b1b8bf08bb617bc0ad32416f01ba17f733207bddfac4cdc2d04997
Opcode Fuzzy Hash: 96ecfe966dc1e84e76bc75ba48d334a9a81fbff2259f46d2e9c2cad6a9c40cc8
Instruction Fuzzy Hash: 9551E034E01259CFCB14DB68C894B9DB7B2FF49344F5080AAD40AAB7A5CB799D88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 033A0690 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef04957b446fb73ba0165c3c814f69f5790bdac7ef38537a67b518e9d8c8b946
Instruction ID: 302eca57668f1ba7c4d76cd4d76f0ef45028a883d010b59c9fc9eb41ebdb7a4f
Opcode Fuzzy Hash: ef04957b446fb73ba0165c3c814f69f5790bdac7ef38537a67b518e9d8c8b946
Instruction Fuzzy Hash: 2D413E316002058BC728BB35E8AD6AD37ABEB90657724887DF502CB6B4DF754C458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 033AFAF0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdec264821230b5d9dffbabbf6747beaa546153e0e8fd3e16fc9b0db6cd73fef
Instruction ID: 4b63e68d89d0d58b4e7aaceb4f6d0ed6e60a03a73b5aef6c2c7e7b449ed9151c
Opcode Fuzzy Hash: bdec264821230b5d9dffbabbf6747beaa546153e0e8fd3e16fc9b0db6cd73fef
Instruction Fuzzy Hash: 6D41C435A00604CFDB04DFA8C894EADBBF6FB88324F158199D911AB765DB35EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033A6C70 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00aa0d5c8254a9be27de09c56a6110f263c37f68dd553befab3893b2561ffc7d
Instruction ID: c726cb72aece4412a372b401df1cc1227878d33bd13a856b874a40ad6a85da86
Opcode Fuzzy Hash: 00aa0d5c8254a9be27de09c56a6110f263c37f68dd553befab3893b2561ffc7d
Instruction Fuzzy Hash: E4419035B02200CF8705EF69D09059E7BA6EB8D611399407CD906EF791DF769C41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 033AACA0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b6e0e21be6fc33df87e7ad669c4e50af5180a519f010d3413dfa962907a2be
Instruction ID: 00f9f1a3a5b9eb3b934829b4958aa48eeb8fb4f72a045ceab897da9b60283ef1
Opcode Fuzzy Hash: f1b6e0e21be6fc33df87e7ad669c4e50af5180a519f010d3413dfa962907a2be
Instruction Fuzzy Hash: FE310672A04A698FCB04DBADC4905AEF7F6FF88215B14842EE486D7750CB35EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033AF715 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bd8b27a66b27508eb2fe71ca63a75c8765e64ceda93b59c30bbb7dd12ff45d
Instruction ID: 7a0f7248ce0927a6eac2e122bf554dca74a3ac62840b6f1287c8f30727ea9e83
Opcode Fuzzy Hash: 55bd8b27a66b27508eb2fe71ca63a75c8765e64ceda93b59c30bbb7dd12ff45d
Instruction Fuzzy Hash: 3041C538A016009FC714DB24D498BA977F6FF89716F6580A9E8069F7A1CFB9AC44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 033ACF80 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ac018ac8728f0384820656758a4a0e222a8bd45c82176173eabaf777f63c0c
Instruction ID: cc1b4bdf8d10d0eed395bf78f9053e6feec0345ffa90b7c7cd132f7bf68c52aa
Opcode Fuzzy Hash: b6ac018ac8728f0384820656758a4a0e222a8bd45c82176173eabaf777f63c0c
Instruction Fuzzy Hash: 8441A0706063408FC7069F74945899A7FA2EF5520C36484AEE205CF3A6DF769D4BCBE0

Uniqueness

Uniqueness Score: -1.00%

Function 033A43C0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1293e858fe85bc95af6eb2902f7a54cdd3cf1f5f2c931a4476ee42c3db4d0412
Instruction ID: 49fd261fff656f9b2638311bc991977c8d4629823df0d44faf9e8366e4a7a281
Opcode Fuzzy Hash: 1293e858fe85bc95af6eb2902f7a54cdd3cf1f5f2c931a4476ee42c3db4d0412
Instruction Fuzzy Hash: AB411331905601CFCB05DF68D8889ED77B6FF8530935488ADD0025B7B5CB79AC16DB50

Uniqueness

Uniqueness Score: -1.00%

Function 033A02DA Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11e5637562facf190687085e2aebab8e134c7fb9db872b293cf8fd2f41e04e9
Instruction ID: 987327e9eb5c8d343a7be8c1ef44520fa3050ae0059067bebdd1d27762f6337b
Opcode Fuzzy Hash: f11e5637562facf190687085e2aebab8e134c7fb9db872b293cf8fd2f41e04e9
Instruction Fuzzy Hash: 8F41AB30B00A058FDB4CDB68C590BAE77B6FF89310F2544ADD502ABBA0CB71AC84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 033AF687 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940197ebca03f92e8bafe22ae0880ee16ea40e26641723007ef19f65406002f5
Instruction ID: 0d9acedc98685723d676d9db41b8f14d1c63f73d0823ac24bc27c361d0688e83
Opcode Fuzzy Hash: 940197ebca03f92e8bafe22ae0880ee16ea40e26641723007ef19f65406002f5
Instruction Fuzzy Hash: 9641E938B006008FD714DF24D498BA977F6EF45716F2594A9E8069F7A1CFB9AC44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 033ADF21 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d93cb9bd35b65306dafd3f91993fa15d8b8fc44529294e3f55cd7d004d7029
Instruction ID: 2aee1dde65d2cac1118617f3e6d8f67ba56648188faabb7c7115b51a7ea04683
Opcode Fuzzy Hash: 60d93cb9bd35b65306dafd3f91993fa15d8b8fc44529294e3f55cd7d004d7029
Instruction Fuzzy Hash: D631D031A04609DFCF05DFA4DCA08EEBBBBEF44304F04416AE606AB665DB359D05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 033AF6CB Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989f1af88d075e956c5fd37b644b1f9a7c13ed2e5316e5411ee8fc9ed47e87b2
Instruction ID: 7900006df82fc15ea3ee116941d786fade74e0e71b8449cd00eb58181c5d3e65
Opcode Fuzzy Hash: 989f1af88d075e956c5fd37b644b1f9a7c13ed2e5316e5411ee8fc9ed47e87b2
Instruction Fuzzy Hash: 8A41EB38B006009FD714DB24D498BA977F6FF49716F2590A9E8069F7A1CFB9AC44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 033AF780 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163540aff61e3017f3a78855e6a9cecbaa3745df76acbc6dae1482b054481821
Instruction ID: ef48379e5b6b1bf286f82710fda0eb3e206d21bb37bf725119d5814104a18fae
Opcode Fuzzy Hash: 163540aff61e3017f3a78855e6a9cecbaa3745df76acbc6dae1482b054481821
Instruction Fuzzy Hash: CC41FC38B006108FD714DB24D498B6977F6EF85716F2984A9E8069F7A1CFB9AC44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 033A1292 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0a7df343daa05d07a0ac02ca21dddf1ff0b8ec76aaa862d334af8a9e7539ea
Instruction ID: dcde573edef1c8d6d30bd772e0c6bab5f659d0c1d83aa92c594324c30290e93c
Opcode Fuzzy Hash: 0f0a7df343daa05d07a0ac02ca21dddf1ff0b8ec76aaa862d334af8a9e7539ea
Instruction Fuzzy Hash: 00410834E04619CFCB64DF68D884B9DBBB6EF49244F0040AAD40AABB90DB749D84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 033A20D0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbe89238ff2f5ad1432d439ad2b6ce3e3823b8327d3f1a6b0f9425f1406ecd8
Instruction ID: 8ee5b40f92c4d4175d5b7bbaf0bb09711cbd6a632bd89b2dd39b0dd4af565531
Opcode Fuzzy Hash: 6dbe89238ff2f5ad1432d439ad2b6ce3e3823b8327d3f1a6b0f9425f1406ecd8
Instruction Fuzzy Hash: 5631A130A08606CFCB05DB6CC8C16BFB7BAEF84204B15886AD506DB791DB74EC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 033AEE78 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b307eb0ee2ebbf7e13aef2d85854a1ac59f0b6ef702282992adf0195675a20
Instruction ID: 21eaa854c3aab5e1f271584566018f34f605bf3012068cd84e207dfc1d0c923b
Opcode Fuzzy Hash: c6b307eb0ee2ebbf7e13aef2d85854a1ac59f0b6ef702282992adf0195675a20
Instruction Fuzzy Hash: 483138329006149FCF01EBB8D8849EE7BBAEF89310B064965E502EB2B0DF759C05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 033AEE88 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd131454002e9f1865456f260a3ce17abf96fd0ee7c1a1e61a92cf0706de04e
Instruction ID: 464dd686986af6125ee332545b691e8cd249ba1eed03c46c9fe8a779d96bbef2
Opcode Fuzzy Hash: cfd131454002e9f1865456f260a3ce17abf96fd0ee7c1a1e61a92cf0706de04e
Instruction Fuzzy Hash: 8931E736900514DFCF11DFB8D8848AEB7B6FF88311B064869E502AB660CF75AC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033ADE18 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c8f306ee9ed0d8241cbfd82c18ff0a0e82243eb935f2a49698e6c370e6cf85
Instruction ID: f68303ee4ea6d5392087bb63e5fe6344800b5e444b1df4ea50111cf949b7f821
Opcode Fuzzy Hash: b6c8f306ee9ed0d8241cbfd82c18ff0a0e82243eb935f2a49698e6c370e6cf85
Instruction Fuzzy Hash: A3315C71A05605CFCB54DF68C494EAEFBF5FF98210F148169D40AA7A60DB31DC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033A55D9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099ed12877d6ca23e2de329576a3d53f59f851d06551fd4753b15c97c0e3e398
Instruction ID: ae909517bb02fd0e1f8ffac83ea2efb8cbedaf2bb9a291a0dc220cf78e1e0556
Opcode Fuzzy Hash: 099ed12877d6ca23e2de329576a3d53f59f851d06551fd4753b15c97c0e3e398
Instruction Fuzzy Hash: 5931E731B40705DFDB189A688495BEDB7F6EB85710F18106EE402EF7A1DBB54C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033AA8FF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dea12806c992156ed69b14dd0c53e236773e04908b2281b0cc09d9ee0fb878
Instruction ID: 2aa4f6f685b7492da8e4fdd562b6b297d1ca5f58115411f9857be3d799cdc61f
Opcode Fuzzy Hash: 99dea12806c992156ed69b14dd0c53e236773e04908b2281b0cc09d9ee0fb878
Instruction Fuzzy Hash: E4315C31B101158BDB08DBA9C959BBEBBF6AFC9200F15407DE10ADB2A1CF758C058B51

Uniqueness

Uniqueness Score: -1.00%

Function 033A45C8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95cf97e637e508a8a2c79dd8929cdbf1204d8bc7d1398743dae5b29cd77adbf
Instruction ID: d7b4e0c198083a9795c0c885feafecb4723931592fed482de5899af72dda08f5
Opcode Fuzzy Hash: a95cf97e637e508a8a2c79dd8929cdbf1204d8bc7d1398743dae5b29cd77adbf
Instruction Fuzzy Hash: 22219131F0011A9BDB04DAAADDC1BFEB3BDEB88210F14452AD619D7260EBB0990487A1

Uniqueness

Uniqueness Score: -1.00%

Function 033A70D0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0af85b3bad007ecc81d6461e36b0a82deff903b696b1b84d593b150ab3419a
Instruction ID: 65fafa8ede9ca186279457389091d470aa3ad647255f0b79faf74e941dc55756
Opcode Fuzzy Hash: 3f0af85b3bad007ecc81d6461e36b0a82deff903b696b1b84d593b150ab3419a
Instruction Fuzzy Hash: CA314F35F006098FCB04DBB9D8949EEB7F6EF84314B14856AC816EB755DB35AC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033A0016 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8acb7476e95040576bdfaabe9b56a0e1651870782792f9f22f7183a7f3fb9b3
Instruction ID: d469f145c80212a4a7921f504c3ecaaac3fb7b74fade9e8de653f0a332cc6899
Opcode Fuzzy Hash: f8acb7476e95040576bdfaabe9b56a0e1651870782792f9f22f7183a7f3fb9b3
Instruction Fuzzy Hash: C5318D3050D3C18FC706DB3498A859C7FB2FF5220974A84DEC1858F56ADB78884ACB12

Uniqueness

Uniqueness Score: -1.00%

Function 033AE379 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47be8f8c836b42ca354cf59a17519ae214d3dfa0d1af8e57667073762e40587
Instruction ID: a6e7d10855b2cdaef9dd63110aa245062deb26b2e90aa47cebd19018c95ab1e4
Opcode Fuzzy Hash: f47be8f8c836b42ca354cf59a17519ae214d3dfa0d1af8e57667073762e40587
Instruction Fuzzy Hash: AA317E71B016048FCB14DFB9C585AAEBBEAEF98240F50442DD506AB780EB35DC85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033A85C0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb07c7717d3fa79227c8f928c7b4bd597fc6c9723567ab927b3656542e8bf67
Instruction ID: cc77bfdf172f48bd79bc4430fca303c01e25f7045d13a52e4d7f6c52cd474dcb
Opcode Fuzzy Hash: 0eb07c7717d3fa79227c8f928c7b4bd597fc6c9723567ab927b3656542e8bf67
Instruction Fuzzy Hash: 5031D030909649DFDB15CFB8C5956EDBFB0EF02314F1840AAC5029FAA1D7798A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 033AE388 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b45f1b96ef83700e9e9e1b0a16ffa97d88be43b3b8aa13650d943bf0948071
Instruction ID: 18c3cab1b863db90a3683eff82377104b173b8271bdb1fdea8ce82146f88fc06
Opcode Fuzzy Hash: d4b45f1b96ef83700e9e9e1b0a16ffa97d88be43b3b8aa13650d943bf0948071
Instruction Fuzzy Hash: E1314C71B006048FCB14DF79C585AAEB7FAAB98240B50443DD5069B790EB35EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033A43D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f340f00dd7fff2b4a1d6566c0785eec2243e0a2709366c64a9160841849f1ea
Instruction ID: 8abf4b268c91572e96ff349e750096a565c51d8d52e0629eee215478c1fb3f92
Opcode Fuzzy Hash: 1f340f00dd7fff2b4a1d6566c0785eec2243e0a2709366c64a9160841849f1ea
Instruction Fuzzy Hash: 9331CD35A00601CFCB00EF68E8889ED77B6FF8470A7548469E1029F7B9CB79AC56DB50

Uniqueness

Uniqueness Score: -1.00%

Function 033A55E8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d13c7cc53a1f705b624ac3f0f7cc2e46bb907b07fc4f8e900768311475163bb
Instruction ID: 6c26c4082125d090cc1f0b72e7a40e911e05c5ba7b1fab979afc031c43cb14da
Opcode Fuzzy Hash: 8d13c7cc53a1f705b624ac3f0f7cc2e46bb907b07fc4f8e900768311475163bb
Instruction Fuzzy Hash: 9921F431B002049BEB149B78C4957EE7AEAEB89714F18006EE502EB3A1DFB648058B91

Uniqueness

Uniqueness Score: -1.00%

Function 033AF039 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ee6afdb712059fbfe6ebadb13c418f046ebee627bc3ee0e19ee9574b207a37
Instruction ID: b37b297758d7aca8520a2a0a3b94806de8f2fa837eb629cd0d0769aca5afab6c
Opcode Fuzzy Hash: d9ee6afdb712059fbfe6ebadb13c418f046ebee627bc3ee0e19ee9574b207a37
Instruction Fuzzy Hash: 68314775E00209AFCB05DFB8C880AEEBBF6EF9D300F00806AE505BB661D7359901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 033A8430 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d4eb529412f4ff1bedbdc84cd3cdf5540670fefce7469eed99214b360d30d1
Instruction ID: 01eb9465c5e8f1ad346f514cef452a9bcc4415a786e66405d8dec28d74e0af35
Opcode Fuzzy Hash: 18d4eb529412f4ff1bedbdc84cd3cdf5540670fefce7469eed99214b360d30d1
Instruction Fuzzy Hash: 78318F71B14700CFCB48EB78E45986D3BABEB94265751C469E10ADF7A0DFB88C81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 033AE998 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4bf6164c78f08da733deab2355e755e41a899af096e1b198ae1f09298eb594
Instruction ID: d35864617c9d612e69d1a5877c86be604a460739f7ad56d52a19f59c0dc62045
Opcode Fuzzy Hash: 8c4bf6164c78f08da733deab2355e755e41a899af096e1b198ae1f09298eb594
Instruction Fuzzy Hash: C821E130B04725CBCB14EF79C8819AEB3B5FB99204F00492ED152AB650DB34AC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033A8440 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12b01c67339d03dea47afadf406627f8f4783337623d1874f4c4a2dfc78401f
Instruction ID: 2b5b1be40805a1946fd55bac06559e951a760b427cff14917328742555f4a749
Opcode Fuzzy Hash: e12b01c67339d03dea47afadf406627f8f4783337623d1874f4c4a2dfc78401f
Instruction Fuzzy Hash: 2B219F31B14604CFCB48EB79E44986D3BABEB94265750C469E00ACF7A0DFB88C81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 033AE4D0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5ddcbd505d91e39dbd4518a84ef38ae5d6bf9e5a9752dc036669841b55c167
Instruction ID: 6efc23ff456fbc24d62cb5537f17a9a6d61f03aee4d879b4d1317e7bca178475
Opcode Fuzzy Hash: db5ddcbd505d91e39dbd4518a84ef38ae5d6bf9e5a9752dc036669841b55c167
Instruction Fuzzy Hash: BF218EB1609A519AC324D37D78D0179FB9DDB42104F0C85AFE11A8E812F639C485C362

Uniqueness

Uniqueness Score: -1.00%

Function 033A6A9B Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7065b79ba69a1603819411249980dc57c1eeafbd9afc638530ef5758ab059f9a
Instruction ID: 3f7c9332d62dca1157410f53acf90b0be1b41aac4fc163e471a84ed4fa78f24c
Opcode Fuzzy Hash: 7065b79ba69a1603819411249980dc57c1eeafbd9afc638530ef5758ab059f9a
Instruction Fuzzy Hash: 1731C0317013018B8704AF74E0585ED7BE7FBA1259350C92DE2068F794DFB68D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033A5830 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58e0c46aaf57b79f2c4a037a2dfe6ef42e79e864fb3376c6559cdf08cfbe8ef
Instruction ID: 6044c5db369a91312ba41944ac1f670f75d0292a79d6dfb631fd6b45dd1f4a82
Opcode Fuzzy Hash: d58e0c46aaf57b79f2c4a037a2dfe6ef42e79e864fb3376c6559cdf08cfbe8ef
Instruction Fuzzy Hash: C4210436B056045FDB08E7B988906BFB3AAEFD6124B11497EC053DFBA1DE758C0083A1

Uniqueness

Uniqueness Score: -1.00%

Function 033AF048 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c015c33058515db19da32a3dd8bd8cafff592a5a581eb72ad3f62ed6b691d5
Instruction ID: 1c4ce92d9a388ca826dcdea7a272099777f293b7b671373b95ed4b398ad9adce
Opcode Fuzzy Hash: a2c015c33058515db19da32a3dd8bd8cafff592a5a581eb72ad3f62ed6b691d5
Instruction Fuzzy Hash: B5212635E00109AFCB04DFB9C880AEEBBF6EF9D310F00802AD905AB661DB359901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 033A21E8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64335d9223de902d6b70d98441ffead4b3b02c88bb8d7b641ae3ff7b4858d600
Instruction ID: 6a0be2038becd83c239c268a6dbe633ff63a2dc72a397019a5b9cdf5140594bd
Opcode Fuzzy Hash: 64335d9223de902d6b70d98441ffead4b3b02c88bb8d7b641ae3ff7b4858d600
Instruction Fuzzy Hash: 0E314B30E0860EDFCB94DFA8C4846FEBBB5FB55304F1449AAC402EBA60D7348A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 033AED78 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06f14a8a21ac5e18a4d674fd78bd53d94fa79ff4bbbde9c993759167e91e705
Instruction ID: b579269cc5e287fb37f7d02c3ab2681f783c53b518ee06f8619342c9ec8af422
Opcode Fuzzy Hash: c06f14a8a21ac5e18a4d674fd78bd53d94fa79ff4bbbde9c993759167e91e705
Instruction Fuzzy Hash: B621A170A05A05CFCB15CF6CC885AAAFBF6FF88204F18847AD049A7610E7319842C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 033AE989 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1c9f1f2d7ef1fff2113a01bef82cea9bbd07bd846b2ee7ae0fb65153621dca
Instruction ID: 25e301d36906b59e36f9e0578b5e42482952f507689ff5a0423ebd8c01636354
Opcode Fuzzy Hash: 1d1c9f1f2d7ef1fff2113a01bef82cea9bbd07bd846b2ee7ae0fb65153621dca
Instruction Fuzzy Hash: D5113630B04725DBCB10DA78DC82AAEB7B9FB88200F10496EE142AB640EF749C0087A1

Uniqueness

Uniqueness Score: -1.00%

Function 033A25DE Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbee4c26da9ed298bc45dd01fb8e279d0fab641c1fc85f0b8a9d56497e06680
Instruction ID: 022e51cd1fd5104975c0ce67a0eb937a8a53326402d18651e764c9d2dbfef343
Opcode Fuzzy Hash: efbee4c26da9ed298bc45dd01fb8e279d0fab641c1fc85f0b8a9d56497e06680
Instruction Fuzzy Hash: 35315870E01645CBDB20CF69D88469EBBB2FF94318F18C96DC005AB669DBB4D489CF41

Uniqueness

Uniqueness Score: -1.00%

Function 033A89D6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508f987db96e0cc97534a7c43587460149b828bc23d6e237253c4630205a9b38
Instruction ID: a2ef6651235b800369d1eeb2c5308a519b5851127d9b4845c51bdf6e25753bec
Opcode Fuzzy Hash: 508f987db96e0cc97534a7c43587460149b828bc23d6e237253c4630205a9b38
Instruction Fuzzy Hash: 03319A34E10A45CFCB20CF65D48468ABBA2FF94328F18C129D005AF690DBB894C9CB51

Uniqueness

Uniqueness Score: -1.00%

Function 033ADAC8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee1439e0b787b6c6d90324110ca09cfba7c2a0a39016cdcb2bc5c717e2cc501
Instruction ID: 4fc250b61a825db8beda52ad4c0cd1b930fefd5f968ad53d41ecaa3c8d4c746b
Opcode Fuzzy Hash: bee1439e0b787b6c6d90324110ca09cfba7c2a0a39016cdcb2bc5c717e2cc501
Instruction Fuzzy Hash: CA21BE71B08A14CBCB05DB7998A47BEB7FAFB88215F1444AAE406DBF44DB719C4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 033AED88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4abb53ee8e50675bf5fe7a30ef2a9a56b85c53b72a5bd428a7d292dcdfd59b
Instruction ID: 6bce47f4866d3ccafca5f803d2e0b4584c2b0ccd2049e0e9dc9f460bdf463468
Opcode Fuzzy Hash: df4abb53ee8e50675bf5fe7a30ef2a9a56b85c53b72a5bd428a7d292dcdfd59b
Instruction Fuzzy Hash: AA214F70A05A05CFCB55CF6CC884AAAFBE6FF89254F18417AD149DB750EB319842CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 033AAC90 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974024572150e250d916da9d8f078170051600fbae9607304fecc047157babec
Instruction ID: d2fa0ddc5fab71de3217cb693883c70b62eb5dbcd083cc5cc7de1a8675b34ccf
Opcode Fuzzy Hash: 974024572150e250d916da9d8f078170051600fbae9607304fecc047157babec
Instruction Fuzzy Hash: 8321C3B6E146298FCB04DB9CD8944AEFBF2FB8C211B14812AE455E3350D3309D45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 033A5840 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e2ef632b02ca9c0d56f02519ac263e91f2a2c04b3191ca0a7b3e1a3548aa3d
Instruction ID: 1e9b0d636afa4d3e7be4f685b00cc800457cd6a18240460e08323220a54fe4f6
Opcode Fuzzy Hash: a7e2ef632b02ca9c0d56f02519ac263e91f2a2c04b3191ca0a7b3e1a3548aa3d
Instruction Fuzzy Hash: BF110336B002049BDB08E7BAD490A7FB2EEEFDA124B51483D8417DFBA0DD758C0043A1

Uniqueness

Uniqueness Score: -1.00%

Function 033AFC46 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb6ca2d124bac90436632bcafe51671f4b1ca6c50df47bb93230ef2d3f6a973
Instruction ID: c2b9f08770264c08c5002e8efec4bad051ae13973112a500dd317ba986c52032
Opcode Fuzzy Hash: 0eb6ca2d124bac90436632bcafe51671f4b1ca6c50df47bb93230ef2d3f6a973
Instruction Fuzzy Hash: A8318439A006048FDB04DB68C994EADBBF6FF88324F1A4594DA01AB366D735EC85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 033AE220 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c40fef5d26704f329773d2e0c2fe946a6f3547d043e804d6c65c21b7155f416
Instruction ID: e44b653918106f8a6d3698a71b9c7b5da458209d82556a7a667c3be1087e46cc
Opcode Fuzzy Hash: 4c40fef5d26704f329773d2e0c2fe946a6f3547d043e804d6c65c21b7155f416
Instruction Fuzzy Hash: C7219031E00914CFCB54FFACC595ABEBBF9EB88310B14806AD406E7A40DB35AD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033A6990 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7350541b49a4046d7958ed6f3c4f4dac2818ddeeed4a6f12b896d79aae1ba06
Instruction ID: 1e7af298afb1b632fe6321af9b07a1a95c787178dba7932b70ef3d087db705b7
Opcode Fuzzy Hash: c7350541b49a4046d7958ed6f3c4f4dac2818ddeeed4a6f12b896d79aae1ba06
Instruction Fuzzy Hash: 9521D571F047088FCF54EB78A882BEEBBB8EB81204F54806EC405DB690EB315955CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 033A5000 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6def876746ac031bf7c5978628a1228096f0b3c5702b50cd57eb1f805f99b7e0
Instruction ID: f886ac231c00434976b5351aeef049eabf1a6099a60de3623cb28f7639dcad3a
Opcode Fuzzy Hash: 6def876746ac031bf7c5978628a1228096f0b3c5702b50cd57eb1f805f99b7e0
Instruction Fuzzy Hash: FF11D631F01A15CF9B44EBB898913AE77E5EB861087548479C806EB780EF789C02D7E6

Uniqueness

Uniqueness Score: -1.00%

Function 033A54F8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb777fc0a51c97eaec4ce9d7795f1e35214d6df53fb6220f502e2983b46ea9aa
Instruction ID: 0302aa7b5695c7d1ecb8026306c2a1a898e2924385ef9ad7f1cf93de0e308410
Opcode Fuzzy Hash: bb777fc0a51c97eaec4ce9d7795f1e35214d6df53fb6220f502e2983b46ea9aa
Instruction Fuzzy Hash: 8C21E731E12305CFDB54DF78E8816EE7BBAEB85315F608539D0029B251D7794D02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033AE211 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ef0d91e4629e4b5f4b7be93d2c21350c0ac2ff36bd512cf7116afc955890c9
Instruction ID: a3b8b0f9922574c1a5780a47e284e8de4cde847cc2c9cdbae81bd270fe896997
Opcode Fuzzy Hash: 61ef0d91e4629e4b5f4b7be93d2c21350c0ac2ff36bd512cf7116afc955890c9
Instruction Fuzzy Hash: EE115175905914DFCB54EF5CCA85AFEBBF9EB88311B10806AE416E3600D735AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 033A48B8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a7337de6509bd25b27cec8a748a4dd20540b99f130438067b62e56bc04b048
Instruction ID: 7bb1d8c67b8c6f1ca7d5a6847c4f4fb8ba7d865b3b05a79a33bbeed3446e839d
Opcode Fuzzy Hash: 74a7337de6509bd25b27cec8a748a4dd20540b99f130438067b62e56bc04b048
Instruction Fuzzy Hash: 0D11E732F086169F8B45DEA9D8908EEB3B6EBC5320B05413ED502BB751DF741D068790

Uniqueness

Uniqueness Score: -1.00%

Function 033A08B2 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383ce056922177494e42d594665987f6eb4e53ef459feb05530e729d08f7b5ac
Instruction ID: 4feadec72d76c61d6af9ed53a6a0750833039e3378c61b431ea6e4635bcbfbd2
Opcode Fuzzy Hash: 383ce056922177494e42d594665987f6eb4e53ef459feb05530e729d08f7b5ac
Instruction Fuzzy Hash: E5117831E487148FC729CBB898905AFBBA9DF91360B05416FD8028B262CB688C068391

Uniqueness

Uniqueness Score: -1.00%

Function 033A48C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d6a890be53cc8e12593b59a1caed68ed970dac419e059ddbf0135c8d503ce3
Instruction ID: d27cc3c867878bcba9d17db6b0c8dd498df95fc851f035c15450c17436bd6917
Opcode Fuzzy Hash: d6d6a890be53cc8e12593b59a1caed68ed970dac419e059ddbf0135c8d503ce3
Instruction Fuzzy Hash: 9211A332F085199B8B04DAB9D890CEFB7BAEBC5214B04403DD906B7741DF616A1A87E1

Uniqueness

Uniqueness Score: -1.00%

Function 033A5BA1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61fd4eb2e4cefac1ad34469360bef1a328019d4931f6445fd515bcdea481ff3
Instruction ID: 595be5f5ebc1864df1a50c8e24dd1cd222e9e33cb8eb2390463595d10099b33f
Opcode Fuzzy Hash: d61fd4eb2e4cefac1ad34469360bef1a328019d4931f6445fd515bcdea481ff3
Instruction Fuzzy Hash: C3117A31618B444FDB15EBB864A40BD3795DF9353431586BFC1878FAA6CF69880BC352

Uniqueness

Uniqueness Score: -1.00%

Function 033AD928 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdda411b2606654a96767a518863fb41404358cb846b897acf0ac20e6ac8422
Instruction ID: c7041213e5d0b543aa25b7d6024a927c80830cff830daf6bce50cf27130aeec2
Opcode Fuzzy Hash: dfdda411b2606654a96767a518863fb41404358cb846b897acf0ac20e6ac8422
Instruction Fuzzy Hash: F011CC31B053505FCB215BB958586AF7BAAFF86224704047EE847DB761DE39CC0183B1

Uniqueness

Uniqueness Score: -1.00%

Function 033ADE08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38c7b2db60635527d2e2a202119c838ddeb15a8f24fbfee15c3d33b8b2b01cc
Instruction ID: b055650e0d383ab2b390924d7227d417f350fcb90a2e0754bc7250d99ba08785
Opcode Fuzzy Hash: f38c7b2db60635527d2e2a202119c838ddeb15a8f24fbfee15c3d33b8b2b01cc
Instruction Fuzzy Hash: B41151B1E05604DFCB54CF68D595BEEFBF9FB98210F189469E009E7A50E7349881CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 033A5730 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2737546945e140fb26257b85a36f84768685b0c27542d00ceecbc04f9e894a0
Instruction ID: 13bf86d374340201a89eeb15582b94d0a00009c1acb9c68c21005404e03a732c
Opcode Fuzzy Hash: d2737546945e140fb26257b85a36f84768685b0c27542d00ceecbc04f9e894a0
Instruction Fuzzy Hash: 14116331E41309CFD744DB74E9816ED77B9FB85255F60823AD401EB690D77A9D02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 033A0B18 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b74de08668fe16e435c994a7a50d788c89eb45ff9b4eaf32843d8f2de2db8b
Instruction ID: 1093bc1c7a5968ec03779799462a1481976cf883e06147dc02c162e07b762452
Opcode Fuzzy Hash: 04b74de08668fe16e435c994a7a50d788c89eb45ff9b4eaf32843d8f2de2db8b
Instruction Fuzzy Hash: 3B11E130F58926EBCB2CE67C8ED07AE72DDCB54A8CF10446A8803EBE40DA70D9008391

Uniqueness

Uniqueness Score: -1.00%

Function 033A4520 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7f39519d36c3921eaf2a5f0dde12c706c8a9ce7e30eebf4f02af6caf600e77
Instruction ID: 3579cbd1fe5d2d52312c9201ed3c883e59dcdf5c71bba6cc0daab03831d79de8
Opcode Fuzzy Hash: de7f39519d36c3921eaf2a5f0dde12c706c8a9ce7e30eebf4f02af6caf600e77
Instruction Fuzzy Hash: 3401C032E049158BCF04DA5EE8402EFB3AADFC6221F19443AAD06DB780DEB69D0587D0

Uniqueness

Uniqueness Score: -1.00%

Function 033AC5F8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3432105b92011db94a31d4ae2c2a0863491dbdf8d75c312b41924a25922d26a
Instruction ID: 4d3d33b3ca6364ad74fb2527525e4082c94af8d88d8e0ab9c0db06e9ce8e96d2
Opcode Fuzzy Hash: a3432105b92011db94a31d4ae2c2a0863491dbdf8d75c312b41924a25922d26a
Instruction Fuzzy Hash: 8D11C470305A419BC315E77885904BDF7A7DFB211435C986E904ADBBB1DF32DC068762

Uniqueness

Uniqueness Score: -1.00%

Function 033AC4D8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf73af780020735fb3052f37b1767e91c4253f033769a6e67b767c7dd8c5b06
Instruction ID: c45d180f7e55c8ef88261536aaa2120f4c41040729b81214566e421d63afa746
Opcode Fuzzy Hash: ebf73af780020735fb3052f37b1767e91c4253f033769a6e67b767c7dd8c5b06
Instruction Fuzzy Hash: AB117331B005109FC708EB6EC494AAE77EBEFD96547598069E40ADB7A0CF36EC02C791

Uniqueness

Uniqueness Score: -1.00%

Function 033AF9D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1518c6ecbeb5f2f9b9d5411cdf2e033cb3216d68087abdc6ee7e66dc5ad571
Instruction ID: d1f677cacaeaf2f3286babc91065a39f27e4295e439302d36b7f82632ad3dc2d
Opcode Fuzzy Hash: 5e1518c6ecbeb5f2f9b9d5411cdf2e033cb3216d68087abdc6ee7e66dc5ad571
Instruction Fuzzy Hash: 6911E231B08B49CFCB14DB68D888BFEBBB5EB48718F14406EC116A7B80CB7558448F90

Uniqueness

Uniqueness Score: -1.00%

Function 033AC608 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f4192f48179f15f12cfbf87d01f6a7a37ec25934d683805ecb8f397ab6adff
Instruction ID: e74217c1b3cccc01103f77e69f41491875a5f92602c8596dd15c6b66dd99fb76
Opcode Fuzzy Hash: 03f4192f48179f15f12cfbf87d01f6a7a37ec25934d683805ecb8f397ab6adff
Instruction Fuzzy Hash: 18119D70308A409BC304E729819047DF7A7EBB6159788A82E914A9BBE0DF72DC068767

Uniqueness

Uniqueness Score: -1.00%

Function 033AC858 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64696b893e6ea33ba6cc50fd2670fca9c771baec328f6d262742ff7948bb3a01
Instruction ID: 74f3b626bc081cc8bc09451c6e7880b6df0368fb5c1a72eb9e75ea0e3767365d
Opcode Fuzzy Hash: 64696b893e6ea33ba6cc50fd2670fca9c771baec328f6d262742ff7948bb3a01
Instruction Fuzzy Hash: 5F113734600A01AFC724DA59C990966F3EEFF98225B54D91ED85A87F90CB71FC12CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0321087C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515766612.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3210000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea225deff5e95d22362a8dd47f11f282b7d3c1fa9de6693b451cd02320138e88
Instruction ID: e22103820f2e339d9d1089c777df52ef84e5aead3cc9d75a6576eb86e31b386f
Opcode Fuzzy Hash: ea225deff5e95d22362a8dd47f11f282b7d3c1fa9de6693b451cd02320138e88
Instruction Fuzzy Hash: CE113A30218280DFD705CB10D644F26F7D5AB69708F28C5ADE8490B742C377C8E3CA51

Uniqueness

Uniqueness Score: -1.00%

Function 033A2390 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac6e1cd2ffb52c8e9ccaecded2b78b56c67c3c7de0b0eb210e9c27f11c5dbe5
Instruction ID: 42ef90f2c3a478edfc0a8dfd9df7efc4d74e287ec7903584457a581f72abb39a
Opcode Fuzzy Hash: fac6e1cd2ffb52c8e9ccaecded2b78b56c67c3c7de0b0eb210e9c27f11c5dbe5
Instruction Fuzzy Hash: 5A114F70D4865ADFC719CF58C8906AE7BB9FB45314F10496DC502EBB80DB794882CF90

Uniqueness

Uniqueness Score: -1.00%

Function 033A11DF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb181717e0b0b7bb83c6b7a4aaaf6fa553da71714fe619a67995f675be0590
Instruction ID: 8b24108722caaa8596ea465aed5af5f395729f64e8f12cd4042c14add7ea24e1
Opcode Fuzzy Hash: e8eb181717e0b0b7bb83c6b7a4aaaf6fa553da71714fe619a67995f675be0590
Instruction Fuzzy Hash: D511C431709680CFC705DB2CD4989A97BE9EF96200B1540EAE142CFBB1DFB9DC088792

Uniqueness

Uniqueness Score: -1.00%

Function 033A4FF0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a7ec6975a13c6fc0806aef3683bfae2776abc2bb0bdf6d6ec8949ec29cb362
Instruction ID: 54d5a60333c90912ae5a3b8550afb11aa0f8e36af9566e01d7bb9efc09e46f48
Opcode Fuzzy Hash: f4a7ec6975a13c6fc0806aef3683bfae2776abc2bb0bdf6d6ec8949ec29cb362
Instruction Fuzzy Hash: 37010431E05A028FD740DA78AC827FE77E9EB85110B44853AC405EBA81E77D8802DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 033A4510 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e587d424ce924e986ee5b2c70a5d5016399fd99dc87f87c6ea35a3c072db781
Instruction ID: 21cddf0bf6a80d5c0e075fac41313adbad47b5dfa0c7a1098117c0aa0985956d
Opcode Fuzzy Hash: 1e587d424ce924e986ee5b2c70a5d5016399fd99dc87f87c6ea35a3c072db781
Instruction Fuzzy Hash: 9E01D631E04A118FCB05DA6D84401FFB3E6DFC6220B19857E9806DB791DEA98C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 033AC1F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509f6d9a764dc76a9904c2173aebb250d959a402d2e4a17be208b62613f47c50
Instruction ID: a6b4492d452515e5c3f6a63f51c0fe249c15f7fe4c54003ede977b147256eef4
Opcode Fuzzy Hash: 509f6d9a764dc76a9904c2173aebb250d959a402d2e4a17be208b62613f47c50
Instruction Fuzzy Hash: 68110671B143209FC7059B78A444B6D77DBE7D9622F4444A9E40ADB3E5CEB84C81C764

Uniqueness

Uniqueness Score: -1.00%

Function 033AE8F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d2f0fb50f757ea835d3cda928d47a9269036734a44faf65f72cb82ff1af898
Instruction ID: f48aa6c77bd92cdd72014aa1cfd1eddf494faff4cda5190b1ca53e245ee2be2b
Opcode Fuzzy Hash: 94d2f0fb50f757ea835d3cda928d47a9269036734a44faf65f72cb82ff1af898
Instruction Fuzzy Hash: 6101F931608F05DBD7A4DA28DC91ABFBBA9DB45210F18441DD496A7A40CF395D0587E2

Uniqueness

Uniqueness Score: -1.00%

Function 033A4788 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a58d477412016f983316b189d5adfd19d90214e500a44c1c588320da821e1d9
Instruction ID: bd58556d497ad10f4d0d67d82dd10d1c6b8d6248153e8adcfd36700908967bd4
Opcode Fuzzy Hash: 4a58d477412016f983316b189d5adfd19d90214e500a44c1c588320da821e1d9
Instruction Fuzzy Hash: FC012172F002198FCB95EFB898516EE77F6EBD4214F20847EC509E7651EB3949038791

Uniqueness

Uniqueness Score: -1.00%

Function 033A5740 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73900b94d4e0586cace4823197af1907deaf45a2c7885944eb600158dec6e33c
Instruction ID: 9e619c017129d2784a477eac3ab76bab2c7747a900d01889f8b55c7d0d948e77
Opcode Fuzzy Hash: 73900b94d4e0586cace4823197af1907deaf45a2c7885944eb600158dec6e33c
Instruction Fuzzy Hash: 0311A531E01309CFE704DF74E9817AE77B9FF45245FA08129D401AB280D77A9D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033AD938 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff0bdefb9fb3f4687b75cde9dcfc9c4b6bf5c46e0d01294624e0933f9c5d38d
Instruction ID: 4bfda4d25013ed66fb31f1b05ca3cbe7805cf840e3ae48152deea6e32961f6c7
Opcode Fuzzy Hash: 9ff0bdefb9fb3f4687b75cde9dcfc9c4b6bf5c46e0d01294624e0933f9c5d38d
Instruction Fuzzy Hash: 8501F731B002115FCB142BBA945866F769EEFD9174750443DD406C7751DE75CC0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 033A05BA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b585da56ca32aa359368886a96a497311285da0b64e3889b6e7b71eec0a206
Instruction ID: b4579b0dca0304132a0cb3eee856631822b988d5297eaa87e1fb1b197cd4ca41
Opcode Fuzzy Hash: 52b585da56ca32aa359368886a96a497311285da0b64e3889b6e7b71eec0a206
Instruction Fuzzy Hash: 6E01D6B1B046210B870A667C94586EF33DB9BD6558715446FD206DB3A2CFBD8C0B43A2

Uniqueness

Uniqueness Score: -1.00%

Function 033A8048 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66cce76ebb045a26c9514bab99e0e96d50d9a21ca8935a16a469eb1847318fa
Instruction ID: 7d18e82b66720b91fc7665bad01f8f9caceebcbe25afe9b60c84cc74c8777aca
Opcode Fuzzy Hash: e66cce76ebb045a26c9514bab99e0e96d50d9a21ca8935a16a469eb1847318fa
Instruction Fuzzy Hash: 6901B531A04A04ABDB14DA6CC894ABFBFB5DB84314F14446EC516AFB40CB7AAD0597D1

Uniqueness

Uniqueness Score: -1.00%

Function 033A5508 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5978b2f102572ddbd4aff6abc931fff4c524cd7da3614e1d0561b73005f82e6a
Instruction ID: 96ed29e2a7b19b4704ef38087f993d6a5615b3996c721ee34c9a25683caf1cca
Opcode Fuzzy Hash: 5978b2f102572ddbd4aff6abc931fff4c524cd7da3614e1d0561b73005f82e6a
Instruction Fuzzy Hash: 26116131E123098FCB44EF78D8457EE7BBAEB89305F508429D1068B291DB795D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 033A8038 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a060ac812139163960971e3a2b4d89e84538fadf835cdc3ad5a27df86d2927
Instruction ID: 4cdc228cda4a79746aa69f15af1f7508018ec34924004bfc3d5208b89cbc77f0
Opcode Fuzzy Hash: 86a060ac812139163960971e3a2b4d89e84538fadf835cdc3ad5a27df86d2927
Instruction Fuzzy Hash: CC01C830A04A01AFD714DA28C8946BE7FB6DB85304F19442DC402AFB81CB3A9C0697C1

Uniqueness

Uniqueness Score: -1.00%

Function 033A1209 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07a52290ad0a0768a7cf202dee488cdb5e9e8ab517d6250db6bd1007e4a91ea
Instruction ID: 868011f5a615a3e4fc11b7ec56feeda71425edefc58c1f21da847425a4431537
Opcode Fuzzy Hash: f07a52290ad0a0768a7cf202dee488cdb5e9e8ab517d6250db6bd1007e4a91ea
Instruction Fuzzy Hash: 29015E317086508FC704DB2CD0989A9B7EAEFD6615B1540BAE106CFBB5CFB9CC098782

Uniqueness

Uniqueness Score: -1.00%

Function 033AC1E1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56119b0ef0bd5fc4140dc2af1b095a8c7eaee238ab947aaabac0da2e6fc162fe
Instruction ID: 0754ab2449ec7ab18bb01061cf53c153a2ecb4feccad05c4bcd95c959d07429a
Opcode Fuzzy Hash: 56119b0ef0bd5fc4140dc2af1b095a8c7eaee238ab947aaabac0da2e6fc162fe
Instruction Fuzzy Hash: 8C012875B093509FCB029B78E445B6D3BEAFB85222F4445E5E00ACB7E5CA784C86C764

Uniqueness

Uniqueness Score: -1.00%

Function 033AA01F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550c2259a4c3f1fa146b636a9d6e5a9bb7804fc47d29d6b185885bebcb7647a2
Instruction ID: 38f25f97782a5fc458df6314e359e7c1948fa6debb9f65df273783553c5c9630
Opcode Fuzzy Hash: 550c2259a4c3f1fa146b636a9d6e5a9bb7804fc47d29d6b185885bebcb7647a2
Instruction Fuzzy Hash: 68F0C8723086108BC745D7BD48806AD339B9BE6174755462E9119DF7E4DE7C4C0A83A3

Uniqueness

Uniqueness Score: -1.00%

Function 032105CF Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515766612.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3210000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74369280346fef7d3fe63f5480bafb3ad80cd023704b6ef8592ff54b9a1ef245
Instruction ID: 3048ab3af82514e54530e035b248527842f31e5557f75f3c28548a82068442e3
Opcode Fuzzy Hash: 74369280346fef7d3fe63f5480bafb3ad80cd023704b6ef8592ff54b9a1ef245
Instruction Fuzzy Hash: 0C01A7B65097905FD7028B16DC41863FFA8DE86120709C09FEC49CB612D225A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 033AA6B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3bdd10d44c8c23eb5f88d52ecbd6ee2419f89106ef850cf9f2c4ab817813061
Instruction ID: cac9b5127b07496aa9a7b831c6bf1baeaee751f284577c2a051c2403c3e302d7
Opcode Fuzzy Hash: f3bdd10d44c8c23eb5f88d52ecbd6ee2419f89106ef850cf9f2c4ab817813061
Instruction Fuzzy Hash: 07014476E003098FDB50DBB9A845BDFBBF8EB44255F10417AD608D7640EB365914CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 033A6316 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce395b8e11bb46e51dec7fb6d7c7c3f848d57f18c2faf88b2ed04328d459262
Instruction ID: 228bd2921522278ed35ba4ce25d9ebbf4a82121b3bd8b7262761d01984d669e9
Opcode Fuzzy Hash: 8ce395b8e11bb46e51dec7fb6d7c7c3f848d57f18c2faf88b2ed04328d459262
Instruction Fuzzy Hash: F8F0F431B08A258FCB00B6BC28426EC3395DB9123570801AEC506CB6F0DB694C4343E2

Uniqueness

Uniqueness Score: -1.00%

Function 033A4798 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1cd04e56e2ed97b78dc2956859ad2106e39221a5a2bc45cfd8a4430172f7eb6
Instruction ID: 2dc602e5eedd30342b35f08a528e87f9ebb37a0065a5bda0ed402daf1e917ce8
Opcode Fuzzy Hash: b1cd04e56e2ed97b78dc2956859ad2106e39221a5a2bc45cfd8a4430172f7eb6
Instruction Fuzzy Hash: E6014F72F001098FCB54EFB994416AE7BF6EB98244F20443AC109E7250EF395A0287E1

Uniqueness

Uniqueness Score: -1.00%

Function 033A69A0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3baf0b7d7445151de2b418b4ec0562d37ef9973d173572eb4cedf43792b54873
Instruction ID: a0b649e0d94638aac913aa1e49d422a8c67b2a8a3f9b663efdbd584f4b06a77f
Opcode Fuzzy Hash: 3baf0b7d7445151de2b418b4ec0562d37ef9973d173572eb4cedf43792b54873
Instruction Fuzzy Hash: 4801AD75F002088FDB50DBB9E8817EEBBF8EB84211F54817AD608D7680EB706954CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 033A05C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f27757883a4c88b4aa515e641a3f0178f0499b1f20d9255e0500bc59fd9ac57
Instruction ID: 318c6a99656d152c471136f23350323aa90d6998c04b63c4675d9031b4bb5659
Opcode Fuzzy Hash: 4f27757883a4c88b4aa515e641a3f0178f0499b1f20d9255e0500bc59fd9ac57
Instruction Fuzzy Hash: 76F0F0B1B00121074609767D94586EF32CFCBDA999B05442ED206CB3A1CFB98C0B03E7

Uniqueness

Uniqueness Score: -1.00%

Function 033AA6A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce991633fd446c0987a53091907ab47d5aa2ac4e995d0ea429640c5e07c220fa
Instruction ID: 798f8d26e640ba894884d5067c86f9d1352607b1672f96658e445c446664cf92
Opcode Fuzzy Hash: ce991633fd446c0987a53091907ab47d5aa2ac4e995d0ea429640c5e07c220fa
Instruction Fuzzy Hash: 1B01DF71E003058FCB94EBB89945BEEBBF5EB44215F10816AD508DBA80EB368802CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 033AA820 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d31de24b0b7bad8836269fef38532bc4558df5d65844cb4d649def1f6dac22e
Instruction ID: 4f762528cae5a806ddcab4a640adff13f6fee9c79616d92e852d8c28d8904526
Opcode Fuzzy Hash: 3d31de24b0b7bad8836269fef38532bc4558df5d65844cb4d649def1f6dac22e
Instruction Fuzzy Hash: 0901F731708740CFC705EB34D41989A7FBAEB9915130484BDE10ACBB61DF758C46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 033A7318 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571a9167914c0c7ece73d5612a538965fbecef26f315925fd3e8aa4f8b135780
Instruction ID: fedc26aed14382f29c47c0bfcfea54520c1e74d1babc23cf20f3bed48d684c39
Opcode Fuzzy Hash: 571a9167914c0c7ece73d5612a538965fbecef26f315925fd3e8aa4f8b135780
Instruction Fuzzy Hash: 44F0287230851042C705A6BC98D0AED6287ABE5174B54473EA519DFBE4DE788C0543E2

Uniqueness

Uniqueness Score: -1.00%

Function 033A4710 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bf7b0fde1ff62866346bb9d8b8dce0be77d094aff38458e50236c340688a26
Instruction ID: e9f5ed99704c97959696bfba608c5ae5733f6116c3fde01c1aea7c619e485b46
Opcode Fuzzy Hash: f8bf7b0fde1ff62866346bb9d8b8dce0be77d094aff38458e50236c340688a26
Instruction Fuzzy Hash: 31F02B367006908BC62596BE64407BE32CEC7C6556F94003EE205CBB80DDAB9C4243A1

Uniqueness

Uniqueness Score: -1.00%

Function 033A1218 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70e69451029430afb4fef166569705dbfbf1256bc9a7fd3e22225ccb6852b24
Instruction ID: 3d1b1fd1f45b07abcc264067719b9c0daf1c303d1a42332b05cab16fbeb8ffe4
Opcode Fuzzy Hash: f70e69451029430afb4fef166569705dbfbf1256bc9a7fd3e22225ccb6852b24
Instruction Fuzzy Hash: F0011D31714510CBC604DB2DD0989A9B7EEEFD5655B1440AAE506CBBB4CFB5DC098782

Uniqueness

Uniqueness Score: -1.00%

Function 033A7328 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0270b8005c7a1b47a8a082aeacd767ad1eb5b4c9f82415a7f5a30e012aa0847
Instruction ID: 6dc27849b5f507e11c25806e795abe07f04ad864b845e88880b740e584188d96
Opcode Fuzzy Hash: d0270b8005c7a1b47a8a082aeacd767ad1eb5b4c9f82415a7f5a30e012aa0847
Instruction Fuzzy Hash: 3BF0B431308510524704A6BE58D0AEE728BABE6174765472EA61A9F7E4CE799C0543E2

Uniqueness

Uniqueness Score: -1.00%

Function 033A63D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c26cde3620abf0e3f914e06ede20fb369f288b4de3ba2809c8c370ecf87018
Instruction ID: 81caa0bbc2dfd1312f0cfb545bfdd80540a194d2703b5d02fa2a4d22d1f0f3e5
Opcode Fuzzy Hash: e8c26cde3620abf0e3f914e06ede20fb369f288b4de3ba2809c8c370ecf87018
Instruction Fuzzy Hash: 31F0C270E18A119FDB88C67C48926BF76E9CB85254B58842A8907C7B81EB29088686C1

Uniqueness

Uniqueness Score: -1.00%

Function 033AEA29 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a4394e40537344f40d29399a96273bdc01f3c074cc49161a1ea3970d26e6ed
Instruction ID: 96b06bcac63f0ee7f58fb9bf6f0c088b816eca87e1c1d71121bcda987564d16e
Opcode Fuzzy Hash: 16a4394e40537344f40d29399a96273bdc01f3c074cc49161a1ea3970d26e6ed
Instruction Fuzzy Hash: C9F06D31B002299BCB04EB74E882AEE7366FFA9608F108969D505AB254DB79DD0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 033A792A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c180adae0c41eb91366afacf55d8a3862ec65a4b0023df47b61f10d49571a8
Instruction ID: 38b350201da3887ece84d44635a10da6d11de2223ae2bb6604bbd301b57fee41
Opcode Fuzzy Hash: 40c180adae0c41eb91366afacf55d8a3862ec65a4b0023df47b61f10d49571a8
Instruction Fuzzy Hash: 60017175A0021A9FCB46CF94C890D9DBFF2FF48310F09C1AAE5459B661CB358846DB90

Uniqueness

Uniqueness Score: -1.00%

Function 033AA030 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfefd17b4f7ee753c9c0c58780bf119321c03c7cc21448a27fa24b4c00955e7
Instruction ID: 37e4e116c6a82141c83074620d037a7653997c99b05001eea5a04aa518b54ec0
Opcode Fuzzy Hash: 5dfefd17b4f7ee753c9c0c58780bf119321c03c7cc21448a27fa24b4c00955e7
Instruction Fuzzy Hash: FFF0B432308520524604A67E5880AAE738B9BEA174B64432EA119DF7E4CE698C0983A2

Uniqueness

Uniqueness Score: -1.00%

Function 033A80D1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a7741a4bb29b53b936be5eb954054158eaa7c294661aa8278f5b73532c2907
Instruction ID: c32dcabb1b4908f88a20347f98804e61442bd982b97a8e9d02c89b6af4f7e158
Opcode Fuzzy Hash: f9a7741a4bb29b53b936be5eb954054158eaa7c294661aa8278f5b73532c2907
Instruction Fuzzy Hash: 50F0CD30B48315DFC301DB6E9C85CAEBFB9FB81210B0481B6D101CFA52E734890687E6

Uniqueness

Uniqueness Score: -1.00%

Function 033AA7B0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b58848f140d3c4c799c9af6bc38f9a89734b6b3b95aa8730d7030ade7cbfcd
Instruction ID: 8da484e09baf86fd8e37cc769668f57d87f88aec07e68dad4cb32d9abeeae071
Opcode Fuzzy Hash: e9b58848f140d3c4c799c9af6bc38f9a89734b6b3b95aa8730d7030ade7cbfcd
Instruction Fuzzy Hash: 57F0C232744712CFC349D778D4509EE77EEEB9115134581BAD105CFB91DAB88C078362

Uniqueness

Uniqueness Score: -1.00%

Function 033ADD68 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2af5675a0ab7cc9d9aaa996ad2819ae2acec325b74c448ef2f4f635d3de9d25
Instruction ID: ce594342e346559aac7482a1d9f815d1e6ffe13faffa894a4a06b96d85cd8316
Opcode Fuzzy Hash: c2af5675a0ab7cc9d9aaa996ad2819ae2acec325b74c448ef2f4f635d3de9d25
Instruction Fuzzy Hash: C2F02B31205A909FC306977C88309EB3F69DFC6120304499FE5569BBA2DB22880687F0

Uniqueness

Uniqueness Score: -1.00%

Function 033AA830 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe3b160e36743ff3bcdef02cec7a02f26d6b9e460546295260b7f87ad88b787
Instruction ID: 6a80f4eaffebe0e692a6fed62323896c085f07b14789f533f47785cc91001dce
Opcode Fuzzy Hash: bfe3b160e36743ff3bcdef02cec7a02f26d6b9e460546295260b7f87ad88b787
Instruction Fuzzy Hash: 46F0A431704600CBC704EB78D4498997BAFEB98156304857DE10ADBB64EF759C46C761

Uniqueness

Uniqueness Score: -1.00%

Function 033AC4CA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9726f5fba68162e7455b56fa75f3dede8564902e4d464573c8fc0a0ed8088600
Instruction ID: f57f934267b7c0c177338ffea217f901ef0acc4accd4e2e8a43e737c36f78d6b
Opcode Fuzzy Hash: 9726f5fba68162e7455b56fa75f3dede8564902e4d464573c8fc0a0ed8088600
Instruction Fuzzy Hash: A6F054337056501F831A717D5C1462F3ADFC7C2560359426AF045DB791CE165C0183F5

Uniqueness

Uniqueness Score: -1.00%

Function 033A9FB1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dace1d1e585a48f6b603998e5bd25823124ccf5f7d63840ea070225777ecd390
Instruction ID: cf31f567820111cf0a14ff9534bfdcf6f5c6ad549f4f8671399a1ddd01b03b20
Opcode Fuzzy Hash: dace1d1e585a48f6b603998e5bd25823124ccf5f7d63840ea070225777ecd390
Instruction Fuzzy Hash: 49F0F6713097848FC305D77894555ACBBB3DFD212631C89AFD24ADB792CB75880A8722

Uniqueness

Uniqueness Score: -1.00%

Function 033A45B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ece51b46920d5fb499313b8db0bef04afc0bb466d384208b2d5b710a1041a99
Instruction ID: 31e4e3698f876ca0e13653ed92165ebcdee10e2508fd03255e991cb2f3f4c156
Opcode Fuzzy Hash: 7ece51b46920d5fb499313b8db0bef04afc0bb466d384208b2d5b710a1041a99
Instruction Fuzzy Hash: D7F0E230E8031A9FDB50CAA89C01BEEBBFCEB85220F11407AD50CD7251E27449058760

Uniqueness

Uniqueness Score: -1.00%

Function 033A7938 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4382533ebb5986fca328a8809c10f4e9643b45d471e9b6eb2a6fb1de31c1129e
Instruction ID: e572a6903b0389af0353979e0160b2a6e42d481affb04618e0e47d1d988fa059
Opcode Fuzzy Hash: 4382533ebb5986fca328a8809c10f4e9643b45d471e9b6eb2a6fb1de31c1129e
Instruction Fuzzy Hash: E6F0A975A002089FCB41CFE8C894E99BFF6EB4C310F0580AAE649AB321DA31D805DB90

Uniqueness

Uniqueness Score: -1.00%

Function 033A0918 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713ca4b5bdf10f160edbf7c3b58aa7daf6d731a85942ceba89b0d1b76b62a271
Instruction ID: fcb27235b667869501e3e1008c15abe2ba4f872c7dc9284be935fd575149fad5
Opcode Fuzzy Hash: 713ca4b5bdf10f160edbf7c3b58aa7daf6d731a85942ceba89b0d1b76b62a271
Instruction Fuzzy Hash: 49E02B32E296189B9B18D6FD9C815AFF7ADCB95350F00443FDD0B93714DA75480543D2

Uniqueness

Uniqueness Score: -1.00%

Function 033A0908 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a580f1612beb763d84566a765114e86a10f54c62c5fab53c1f35314a6b0c978
Instruction ID: a7771b553b967a674b38491b76a263c4fccc18f090346280ac350d90e7d5dcb9
Opcode Fuzzy Hash: 5a580f1612beb763d84566a765114e86a10f54c62c5fab53c1f35314a6b0c978
Instruction Fuzzy Hash: D8F0E230D5D7548FDB58CAB848905AF7BB9CB92350B0544AF98039B666C6AC4C068792

Uniqueness

Uniqueness Score: -1.00%

Function 033AE5A9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835327b3659881ee9836bd940be63bc8672a90dedee58dfab2da2e7c73676ea9
Instruction ID: f733fed079014e650b35bfa0781dbb6f87424b629af60e5c6e09b07e91ef71dc
Opcode Fuzzy Hash: 835327b3659881ee9836bd940be63bc8672a90dedee58dfab2da2e7c73676ea9
Instruction Fuzzy Hash: 61F02731206AA09F8312D76C98608EE7F69CFD3014304849FE8999B751EB22CD0AC3B0

Uniqueness

Uniqueness Score: -1.00%

Function 033AFC58 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f1c11c0f56b2d90795b5ef43532e440dd2b9e563ee541c8f4b48c04862797a
Instruction ID: 52825de5695d14d7a33e0126911be3093f73a6abe359d5d186585bbae13523b6
Opcode Fuzzy Hash: 00f1c11c0f56b2d90795b5ef43532e440dd2b9e563ee541c8f4b48c04862797a
Instruction Fuzzy Hash: 96F0A07110EF51CFC321C66E9ED0872BB6DEE465043448A9BCC838FE11C626B80283D6

Uniqueness

Uniqueness Score: -1.00%

Function 033A4701 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6c1678cc175a58a7b050b4a1521eda62dce3b62d4655f0042560037ff5b2b0
Instruction ID: 5dce74d44ff221046952c34f425cf8654b598f8fedb9bfe1f1b4a114a8b23cef
Opcode Fuzzy Hash: 5b6c1678cc175a58a7b050b4a1521eda62dce3b62d4655f0042560037ff5b2b0
Instruction Fuzzy Hash: 63F0E5316847908FC357866958507A933A9CBC3231F5A00BFE411CFF92D6AE5C434350

Uniqueness

Uniqueness Score: -1.00%

Function 033A63E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd7aa7900ac322e5266e571a88d359b9762778a26c875b96d97dcdd327361c3
Instruction ID: 6701f42124d366bd12e9fe2f5c3e8ae33c9ffa55e18d61d5db20a74681e7c84c
Opcode Fuzzy Hash: dcd7aa7900ac322e5266e571a88d359b9762778a26c875b96d97dcdd327361c3
Instruction Fuzzy Hash: 1AF0E520B08E129BCB54D23D589267F76EDC7C5548F88843A8907D7B81EF295D4186D2

Uniqueness

Uniqueness Score: -1.00%

Function 033AA7C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74323f544039b8e68afae162aa8bfd527624db07af8fc98c6c04760df232e75b
Instruction ID: 61dcc4140fed0ffed5da5cf226220e1cbb91962c774d81344ea4d6d669b92f83
Opcode Fuzzy Hash: 74323f544039b8e68afae162aa8bfd527624db07af8fc98c6c04760df232e75b
Instruction Fuzzy Hash: B8F08C22700606CB8608E77DD4809AEB7DEEB95191380817AE109CBB50DEB09C0283A2

Uniqueness

Uniqueness Score: -1.00%

Function 033AADE0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2dd1a8218f69d6ea65511bb6cda6a17e9b8df02b63eeccb681d276cd20b2a5
Instruction ID: cb20ba556348862c5264ca465282134386dc289e8206df471659411bc507cdda
Opcode Fuzzy Hash: 0e2dd1a8218f69d6ea65511bb6cda6a17e9b8df02b63eeccb681d276cd20b2a5
Instruction Fuzzy Hash: F1E0EC7A602B104FC320CB6ABC01893F7E9EDE1520308863FD19987A15DB70990587F1

Uniqueness

Uniqueness Score: -1.00%

Function 033AAF49 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f510139c299443ee2520e2bccf776636ccc81b8c90756c1aff63421eaa9b12
Instruction ID: 30f628ccb9aad20e0fee8a9883da207a4f5a4fcd1a44b081f0f898653da569ea
Opcode Fuzzy Hash: 92f510139c299443ee2520e2bccf776636ccc81b8c90756c1aff63421eaa9b12
Instruction Fuzzy Hash: E9F0A7367267508FC316CB74D840956BBB6FFD5216318497FD582C7A42C636E885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 033AE638 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41b22eb80e521b07d0aea552fc742b90b155de5602139f9f779f4414313eb4e
Instruction ID: ab47963e1b2abb9f7f1816269da91c8ee93300d57cb62fd404f752ee69ccc556
Opcode Fuzzy Hash: c41b22eb80e521b07d0aea552fc742b90b155de5602139f9f779f4414313eb4e
Instruction Fuzzy Hash: 48E02223608A6056EB34806C5DC8BA6AA8DD796264F0C0D7AE81FCB662D9900C4883A1

Uniqueness

Uniqueness Score: -1.00%

Function 033AFE10 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54390339008be58b1a62ce029643fd6c6f1bc7bed954b9be72fbd675b29e6d61
Instruction ID: 1d335d9c2f65b218f8b8698c2c822dd012bf9cd56546ef9cfe8949a77cbe78a3
Opcode Fuzzy Hash: 54390339008be58b1a62ce029643fd6c6f1bc7bed954b9be72fbd675b29e6d61
Instruction Fuzzy Hash: 22F05E35C04618EFCB51EFA9CC409EEBFF5EF09211B1080ABE558DB161D6328620DB91

Uniqueness

Uniqueness Score: -1.00%

Function 03210938 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515766612.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3210000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4d967bc5fc5b2c5848280ad0d4bd7738ac760d66c8ed30488201ba10e6f1e3
Instruction ID: 4fbe28ce7b73167e8f3dd5e8b264dabae5795cbd86e207a54db48c1821337e77
Opcode Fuzzy Hash: 7c4d967bc5fc5b2c5848280ad0d4bd7738ac760d66c8ed30488201ba10e6f1e3
Instruction Fuzzy Hash: 5BF0FB35108645DFC706DF00D540B15FBE6FB89718F24C6A9E9490B652C3379862DA81

Uniqueness

Uniqueness Score: -1.00%

Function 033AC7FE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb7d03d2c4f7bd5f6949e6f5237085566278230c63bf4313550043e3034ec9f
Instruction ID: 007731db6290e86d6239a7d185866d7cc82c233a1f46ad70142a055e970042bf
Opcode Fuzzy Hash: 9fb7d03d2c4f7bd5f6949e6f5237085566278230c63bf4313550043e3034ec9f
Instruction Fuzzy Hash: 4BE09B317091919F8615977C84644AE3B6EEFD656231A149BD146CB551CE544C05C362

Uniqueness

Uniqueness Score: -1.00%

Function 033A9FC8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53466d7977d1569fef349dee807c4cb5f402bafb86cd22dab4c72d76083d9e06
Instruction ID: 97d5cbf8e0108b39d88c3978e2381b5fa77dc01edb865c6ad51cb044cfc855a9
Opcode Fuzzy Hash: 53466d7977d1569fef349dee807c4cb5f402bafb86cd22dab4c72d76083d9e06
Instruction Fuzzy Hash: 0DF0A7713042049B4704A76DE4408ADB7B7EBD5225354892DE20AD7750CF72DC468762

Uniqueness

Uniqueness Score: -1.00%

Function 033AA760 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57f886682a10b37420a704bd70e55215d0435393bac093db5fc0501cbef82d6
Instruction ID: aea459546d634db61f8891ee4eab19d5c7973664d49c8fd80bb2b65b92dca278
Opcode Fuzzy Hash: b57f886682a10b37420a704bd70e55215d0435393bac093db5fc0501cbef82d6
Instruction Fuzzy Hash: 4DF0EC357483514FC78693B8841919D3BE69BA656230640A6E009CFB91DE3E8C038722

Uniqueness

Uniqueness Score: -1.00%

Function 033A57A2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1caec716e7f0a9b6d35a45627fec72765f3bd1bb007384d8e01e17913cb121f
Instruction ID: f1bb4c48b95d461cce0378ce9aa3e4437fb6c1fe59bfa6dda552280bcfd28f82
Opcode Fuzzy Hash: b1caec716e7f0a9b6d35a45627fec72765f3bd1bb007384d8e01e17913cb121f
Instruction Fuzzy Hash: A7F0E531F04508CFEB08E7BCE8953AD3369DF8110AB60C179D157EBA90EF294C058792

Uniqueness

Uniqueness Score: -1.00%

Function 033A83D0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688169903d4594fa58cb4f93a8dca3524856e08489e4639a117375eebc7a971b
Instruction ID: 28ce62dafef0a4a7b2284a1ff07dbeb089993851ad7a1f1efc9b7588bad16986
Opcode Fuzzy Hash: 688169903d4594fa58cb4f93a8dca3524856e08489e4639a117375eebc7a971b
Instruction Fuzzy Hash: 24F0963064864ACFC701CB24E8C84DD3F79FF642187048126A4098FA95D7B99D59CB82

Uniqueness

Uniqueness Score: -1.00%

Function 033A72B7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f79138a1fc72d29e5166c2bc8b33a5ecdb79f4c1ccb4f0f4e311d514f44324
Instruction ID: 85985ccd67e1c90d339940df0bd5b3f85063124bdae2bef9a0e60ad22b0bd091
Opcode Fuzzy Hash: a1f79138a1fc72d29e5166c2bc8b33a5ecdb79f4c1ccb4f0f4e311d514f44324
Instruction Fuzzy Hash: B4E03934F016144BCB18F3BDA8A67AE66929FC1919F84043CC50ADFAD1EE2588058792

Uniqueness

Uniqueness Score: -1.00%

Function 033A5EB8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f0b1fa968bfe7633508b964b14a415072c9d14e69ee74f61296f6e09fef110
Instruction ID: b2e15008990979bf671901fcf65acd4c76f11ced13bc2b1f242a638adad166e1
Opcode Fuzzy Hash: 47f0b1fa968bfe7633508b964b14a415072c9d14e69ee74f61296f6e09fef110
Instruction Fuzzy Hash: C8E092317883661FC75657795C405EE77A69E8216430A45AAD001CBAA6DB6C4C438391

Uniqueness

Uniqueness Score: -1.00%

Function 033A8558 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2801e4dbf4aebb0dc27a5cfa16ce5f9c85879aabb22674837e0a75aa96b7df16
Instruction ID: 11d3be7eebdc16b7533172d92c29e48b4022cc7751442447c6ca9ec4a870983f
Opcode Fuzzy Hash: 2801e4dbf4aebb0dc27a5cfa16ce5f9c85879aabb22674837e0a75aa96b7df16
Instruction Fuzzy Hash: B2F05577E092108FCB2207A8ED092A43FF6DB481623088097D80ADF365EA318C008FC0

Uniqueness

Uniqueness Score: -1.00%

Function 033A6381 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a34057101dc9f8e60871c267c310e0757def0011c05709ad1a4375e47420a1
Instruction ID: cb58481863ec479f82055fd64f7e4796e9ec37a4d8de94fd4d27ac79f25de476
Opcode Fuzzy Hash: c4a34057101dc9f8e60871c267c310e0757def0011c05709ad1a4375e47420a1
Instruction Fuzzy Hash: DDE0D83068CA26CFD711AAAC68446EC37D9DB9123170D00BFD406C7AF1D7AE8C4387A2

Uniqueness

Uniqueness Score: -1.00%

Function 033AC849 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128ed3c1d2fb6f0043576be1e1592c7df01f176736cae3455e5c94b3fb03d1ed
Instruction ID: 7dc5dabc02ee1ab3cab825af4bba2dd947c8e7d6a6739293c36b6923143bc642
Opcode Fuzzy Hash: 128ed3c1d2fb6f0043576be1e1592c7df01f176736cae3455e5c94b3fb03d1ed
Instruction Fuzzy Hash: C3E02B34605252AFC311D618D8D0C63BBBDEFCA220314C49FE449C7A02CB30EC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032105F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515766612.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3210000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49969e023be803e1c43a4e19d42bd54f59619780d503d035294919f5132bebe
Instruction ID: eb8cc5f68430920828c95a90d9034ed8188a6c08c66da2507eebc23c627fb210
Opcode Fuzzy Hash: b49969e023be803e1c43a4e19d42bd54f59619780d503d035294919f5132bebe
Instruction Fuzzy Hash: 79E06D766046048B9750DF0AEC41452FBA8EB84630B18C16BDC0D8BB01E636F5088EA5

Uniqueness

Uniqueness Score: -1.00%

Function 033ABA48 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction ID: a7f1905d73c1d78200faa05f495a36ed10c32d7c7ba37311bcd62d69769b97df
Opcode Fuzzy Hash: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction Fuzzy Hash: F2F09835604B009F8330DE5ED584C13FBF9EF85620715CA6EE59A87A24D670F8048B65

Uniqueness

Uniqueness Score: -1.00%

Function 033A46B8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ae396986a9957a7a8f2eeec74fe724fa04bd2f7e7b2b7488ccc3119229d074
Instruction ID: f3799c91a06de146e4b8556d7a27601c624ecbbbf0361625f53b1ece94c38d67
Opcode Fuzzy Hash: 71ae396986a9957a7a8f2eeec74fe724fa04bd2f7e7b2b7488ccc3119229d074
Instruction Fuzzy Hash: 37E08632310511C7C61066BEA4655AE36CEDF41255B1400A6E10ACBB70DE9ACC0143C2

Uniqueness

Uniqueness Score: -1.00%

Function 033A8568 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971e94d1d639d1526b57398e7aa9547426fa66e1bd40d9274b66081a52be6cf6
Instruction ID: 0a096d045e6d40e0eb44e0f7b29c0683851c782c5d84fc18daee70a4dab94c3f
Opcode Fuzzy Hash: 971e94d1d639d1526b57398e7aa9547426fa66e1bd40d9274b66081a52be6cf6
Instruction Fuzzy Hash: 2EE0D136F00520878B6057BCF8185547BEFD75C5A13144169EC06DB354DEB18C004FD1

Uniqueness

Uniqueness Score: -1.00%

Function 033AE5B8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055f1ca18f5e57759e84fe563bf5f031388cc05c88b98809d4c8deed5aaa0018
Instruction ID: d679eea09b6368f1792308d7e2763dfc6d0dc0473f0c0d64351f46991f87452c
Opcode Fuzzy Hash: 055f1ca18f5e57759e84fe563bf5f031388cc05c88b98809d4c8deed5aaa0018
Instruction Fuzzy Hash: E1E0DF31300A209B4215E66DD4608AE77AEDBC6524700882EC90A9BB50FF72DC0A87A0

Uniqueness

Uniqueness Score: -1.00%

Function 033ADD88 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adb6357e013ba10951380ce1d3ed41be19f4ed0851153c292cb4aa678e08122
Instruction ID: 8953c0003717c982bf97b7c3727223b863b24262cbd85819c326773c901029bd
Opcode Fuzzy Hash: 9adb6357e013ba10951380ce1d3ed41be19f4ed0851153c292cb4aa678e08122
Instruction Fuzzy Hash: 90E0DF313009209B8211E66DC4708AE779EEFC65243108C2EC95A9BF50EF73DC068790

Uniqueness

Uniqueness Score: -1.00%

Function 033ADDC9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38461a05f0e98598a255261533df65a11d64cfbce1a12a6fe39f0ce84d9e3c7c
Instruction ID: 3c06597c5360a53dfbceac5d98711918edb8003449afe85182da1890b740a9b2
Opcode Fuzzy Hash: 38461a05f0e98598a255261533df65a11d64cfbce1a12a6fe39f0ce84d9e3c7c
Instruction Fuzzy Hash: 5EE0863114EA50DFC3E98B6C94B07B27B7DEF0D111754455BF08BCAD14C9244943C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 033AFC68 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d70f3cf47892a9145e60a707de2c04cea401898cdb60d1839930c24cc00c5ea
Instruction ID: a8bed6fbd051299324e0733f680f39358426026c8e33ad0e04bd1522feeddc1d
Opcode Fuzzy Hash: 8d70f3cf47892a9145e60a707de2c04cea401898cdb60d1839930c24cc00c5ea
Instruction Fuzzy Hash: EEE04F71208E11DB8214D55F8DD0832736DFA45515340896BCC434FE00D771F80187C6

Uniqueness

Uniqueness Score: -1.00%

Function 033A5F58 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8814caeb294e70e2095eaebc02c3028d772961f7fe5d55c0e86d9b184ed4ce57
Instruction ID: b9accf80e98ba38f4cc2d30e21852cd8be9716d2a438c18f720e4ce187764272
Opcode Fuzzy Hash: 8814caeb294e70e2095eaebc02c3028d772961f7fe5d55c0e86d9b184ed4ce57
Instruction Fuzzy Hash: 6DE0D8302543644FDB05D7B888118FD77FAEFC1124704849FD509D7362CA764C028790

Uniqueness

Uniqueness Score: -1.00%

Function 033AC810 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395406e14e3d9197c836cfbc6a76c3afd293ebb4b0e62ee8726b0d87bd231c1d
Instruction ID: f4654feecf018f8ab5044eb55ecdd7ca7fb3bfa3674d03e5d0a6446f8fda6073
Opcode Fuzzy Hash: 395406e14e3d9197c836cfbc6a76c3afd293ebb4b0e62ee8726b0d87bd231c1d
Instruction Fuzzy Hash: FDE0C231308410A70514A75D80688BE368FEAD5567306206BD207CB621DE518C0183E6

Uniqueness

Uniqueness Score: -1.00%

Function 033A83E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd311466409ee2d1b2e567288f294a08f9ed9ab549d27f3690aa9b2450644f84
Instruction ID: 6feb0ee7b308bc60955fb3596ec2ff3426d81da7c1bf6f2a7e3939042a78605f
Opcode Fuzzy Hash: bd311466409ee2d1b2e567288f294a08f9ed9ab549d27f3690aa9b2450644f84
Instruction Fuzzy Hash: 37E06531608B0DC7C700DB18E8C88D83FADFB6474C750C426A4098EA88EBB4AD588B81

Uniqueness

Uniqueness Score: -1.00%

Function 033AA770 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36b802d2dd596870d236732d82ac53d88095e55f95565bed7c90adb22667c3b
Instruction ID: fd0426e59d44313d308d810dfd630ea5236d1b9234f8d810bdc5c6de098a4d8b
Opcode Fuzzy Hash: a36b802d2dd596870d236732d82ac53d88095e55f95565bed7c90adb22667c3b
Instruction Fuzzy Hash: 21E0CD357047145B4784A3BC905555E7BEEDB995563014066F50ECB740DF378C524762

Uniqueness

Uniqueness Score: -1.00%

Function 033AE5F8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f133eaeef9bc71bf437584790312b6d459cb3c25995a9f9822f6f77689f6fc
Instruction ID: dcdd34a260233895be7a6338640658f1cf0cb14f7c4708c14c0bf3e69fa17110
Opcode Fuzzy Hash: 79f133eaeef9bc71bf437584790312b6d459cb3c25995a9f9822f6f77689f6fc
Instruction Fuzzy Hash: 7CE0CD3054F741CFC3669A18A4905E37F7DDE421197014D8BF4DE47D61C7256950C361

Uniqueness

Uniqueness Score: -1.00%

Function 033AADF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cb75cd7e7a8445d9a7325c1490635f29c09771189dd9c5afabed5564ea6c45
Instruction ID: bb79184680ba2e90b77d346d9408b0b8eac1cd8a4f68a17dbd4f20aa39316d58
Opcode Fuzzy Hash: 54cb75cd7e7a8445d9a7325c1490635f29c09771189dd9c5afabed5564ea6c45
Instruction Fuzzy Hash: 3FE0E671A00F144B4334DF5B9801853F7EAFED5A60714CA3F915987A14DBB0A9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 033A6390 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f91902c6d1e361b9e97407e3769b4fa9f9e50ff215a5ddc6a9807d0e0445265
Instruction ID: 3f28835455767021a11f4a4d1e815bce208b96e6876d638eef9c1f2c1a72baba
Opcode Fuzzy Hash: 7f91902c6d1e361b9e97407e3769b4fa9f9e50ff215a5ddc6a9807d0e0445265
Instruction Fuzzy Hash: DFD02B3120CC25C7D610729C68816EC318CC740215B0C002ED90AC27F0DBD78C4103E7

Uniqueness

Uniqueness Score: -1.00%

Function 033A5EC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824e0a90c8f3b3cc37b11feeda56887fd7236af248e9f9c1a3329aa92e9e66d7
Instruction ID: a5b54fcf94353c1e40154f12d0fa04eace6cbb757b881102aac7f6d743031b73
Opcode Fuzzy Hash: 824e0a90c8f3b3cc37b11feeda56887fd7236af248e9f9c1a3329aa92e9e66d7
Instruction Fuzzy Hash: 7BD0A7367406291B5514B67B5C01ABF728E9F91495345486DE505CA760DF288C4143E9

Uniqueness

Uniqueness Score: -1.00%

Function 033A5F68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e6b374c8d9188e056e93241c57dd5aa452b666585144ab3f3407e6ce46eee4
Instruction ID: 04e7fe009499e8b9db0f8bb81383bb53df146f9e973238bc04f7191d781cb8e5
Opcode Fuzzy Hash: 62e6b374c8d9188e056e93241c57dd5aa452b666585144ab3f3407e6ce46eee4
Instruction Fuzzy Hash: 07D05E313442241B9504E5A998518BD738EDBD5424704885FA509D7391CE739C0243E0

Uniqueness

Uniqueness Score: -1.00%

Function 033A57F6 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750ecd60e49e791b059aa46130f0e6c73f6f309853a6f626814e45aae77c9b2b
Instruction ID: 3de22773362526591534dd6503fc52c8e6cc481ba257a5706807e9d750366855
Opcode Fuzzy Hash: 750ecd60e49e791b059aa46130f0e6c73f6f309853a6f626814e45aae77c9b2b
Instruction Fuzzy Hash: 31D0C235F04508CB9B08E7F8E4911ED7778DB8502A700407AC05BE6900EF30484543D2

Uniqueness

Uniqueness Score: -1.00%

Function 033A02A1 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015acc1897b0c82e5dc24858448d26db3a39d7b4d0931e0e9d316a5ea123be94
Instruction ID: 396ff27d9791a0fff84f8d27f7fc168fcc04aa2c1f1f39cd4007cdaa01a19b35
Opcode Fuzzy Hash: 015acc1897b0c82e5dc24858448d26db3a39d7b4d0931e0e9d316a5ea123be94
Instruction Fuzzy Hash: E2E01230284B01CFC3A99A54E8554DE77F1FB81620306896ED046CBE99C738AC478B41

Uniqueness

Uniqueness Score: -1.00%

Function 033A46A7 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458bebd2d4a66cab410a0d08eec906c0379e6da1b5c46c90ee6645fc1ecc7a7f
Instruction ID: bf1bd484fd58e0596bdad0fce4321f26c5814dd400816d05ed48f1984e9562d2
Opcode Fuzzy Hash: 458bebd2d4a66cab410a0d08eec906c0379e6da1b5c46c90ee6645fc1ecc7a7f
Instruction Fuzzy Hash: E6D05E302C03115FC7A60A64AC45AEE37B8BF82231B0581BAF804DB962C65D88438790

Uniqueness

Uniqueness Score: -1.00%

Function 033ADDD8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2053318678e6a3e438983aa2cc700e4fd23dbab8b40b750e39607f025e896dce
Instruction ID: a420b42f5cec7a6d6234e759409a9c382fe21f426318b77da3b11212ed2d561f
Opcode Fuzzy Hash: 2053318678e6a3e438983aa2cc700e4fd23dbab8b40b750e39607f025e896dce
Instruction Fuzzy Hash: 7BD05E31109E24DBC6A8D79C90B0AB2B6ACFF0C522B50452BE44B86D00DE219841C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 033A7450 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608d8de5793ba12f3edd46072c24a19bcdaae05d3091c9198d026850612b333c
Instruction ID: 960aa2ab7a7b5243d68e79900ddd833e2e6c14dbaf6bbf726ec38642b6ae43b6
Opcode Fuzzy Hash: 608d8de5793ba12f3edd46072c24a19bcdaae05d3091c9198d026850612b333c
Instruction Fuzzy Hash: D7D0C231008B608BC336C6FCD4C06B2BFACDB46748F04455EC0C209D208666A4C4C392

Uniqueness

Uniqueness Score: -1.00%

Function 033A0650 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e520c28b7b7fc47000ae13c19f6fc70370777a41dc1f34a31fc7a85a39c69a
Instruction ID: 84f75fbd4d4a5619e423a96057a6b52001669d3e5e1b57d099d97d87df8163e1
Opcode Fuzzy Hash: 36e520c28b7b7fc47000ae13c19f6fc70370777a41dc1f34a31fc7a85a39c69a
Instruction Fuzzy Hash: 9ED02E318C93808FC3599AB068250AC7BB8DAA332AB14C47BD40086932C23E0982CB52

Uniqueness

Uniqueness Score: -1.00%

Function 033A2D20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852073fe3fbc11d70935a2037eba51a7467bcca729309062646848fb3c24fe83
Instruction ID: 84267c8cff4457987863642be71c0014b0b5815ffd417fb3f288057804e2d439
Opcode Fuzzy Hash: 852073fe3fbc11d70935a2037eba51a7467bcca729309062646848fb3c24fe83
Instruction Fuzzy Hash: EBD05E301CCB459FD3AA83989868FBA7BA8DB69221F094DA7D05ADF8F7C34844028701

Uniqueness

Uniqueness Score: -1.00%

Function 033A016F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4037344cb335977e6a1785deffc5403a2cf909a46f8b378fed2752b317313bbc
Instruction ID: fb2a728d86897608be33a63964c97b4329db9d5e08d2b1a986113432ac988a2a
Opcode Fuzzy Hash: 4037344cb335977e6a1785deffc5403a2cf909a46f8b378fed2752b317313bbc
Instruction Fuzzy Hash: 2FE012316413408FCB556B70E06959C3761EF552267414A7EC42ACB6E1EB7EC8C6CB01

Uniqueness

Uniqueness Score: -1.00%

Function 033A5BB0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7dda79b70ddcefbd87abfdb2e69aa2d983aecc2bcc4fecac983bfa6fa36655
Instruction ID: 139dfc72b6b8c4162ea18b580e132d449040ddc80ccb713b5f032fa6b91071a1
Opcode Fuzzy Hash: 1a7dda79b70ddcefbd87abfdb2e69aa2d983aecc2bcc4fecac983bfa6fa36655
Instruction Fuzzy Hash: 16C01232715515579914F1BE149117F71CD8696836341096A900A8BB90DC554C0002D1

Uniqueness

Uniqueness Score: -1.00%

Function 033A6F00 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 5656712b2d712c394093da5c59ecefd0d31c2ab5e37c512ced9bab0badc87d79
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: C6D0673AA00004CFC704CB88D5959DDF7F1EB88325F28C1A6D915A7251C732ED56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 033AE608 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb21018e8b0e4d5393e5b6713d52295cf8278320d56a738bb529feb8b9d9f8
Instruction ID: 7565d4d13c15ca6875dc46976e47112185f22123cf1feb828d2493e2621b09bd
Opcode Fuzzy Hash: 51fb21018e8b0e4d5393e5b6713d52295cf8278320d56a738bb529feb8b9d9f8
Instruction Fuzzy Hash: CCD0223080DA00CB8338EE0CE0808B2B37CEA003267000C2ED08B03E20EB72BC40C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 033A799E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca29a5d835b98f6c8f65b9f9381e281ba3352568a7ca5d16d474ce82187df1cb
Instruction ID: df4642d7065f4775c7b077fc91440f3811fa3d455442f37f3ce03a46576ec459
Opcode Fuzzy Hash: ca29a5d835b98f6c8f65b9f9381e281ba3352568a7ca5d16d474ce82187df1cb
Instruction Fuzzy Hash: 35D052B0E85609CF8B51CFB9E9940DD37F0EB09222360032AD803AB7D4E3345C008B00

Uniqueness

Uniqueness Score: -1.00%

Function 033A5478 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b5e294eab0263839d88b28b5742375b6f2a4968e8e1298f3094f867aa0db0d
Instruction ID: 6ec1943fb08e86231dba1c756e7c36272964a1f85e2271dd8b2893322e25c37c
Opcode Fuzzy Hash: 91b5e294eab0263839d88b28b5742375b6f2a4968e8e1298f3094f867aa0db0d
Instruction Fuzzy Hash: 0FD0C924008A04DBF630ABAE689D32D7A5CE702A0BB480099D08680825DB208090CB12

Uniqueness

Uniqueness Score: -1.00%

Function 033A0180 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc60d16b5d1c6fc5f9dd32d2efb34b77bec49c11be66d0a7c6cd7381b20374c4
Instruction ID: 56f303f68ae64a450f957dc267d39490fb733ca4037e104bd56ae93d2c187096
Opcode Fuzzy Hash: cc60d16b5d1c6fc5f9dd32d2efb34b77bec49c11be66d0a7c6cd7381b20374c4
Instruction Fuzzy Hash: 11D01234200304CFCB182B70E01C41C3369EB4420B341087CD80687754DF7AD891CB01

Uniqueness

Uniqueness Score: -1.00%

Function 033AC5D9 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c72bb9e42980dd057e2acd5f5a27dcfdcb50508c97d6d92fdf4e5e992ab9d3
Instruction ID: 4b984f240e11edc8977f5af18f910cda6c2904895f08595503a17e09db107379
Opcode Fuzzy Hash: 37c72bb9e42980dd057e2acd5f5a27dcfdcb50508c97d6d92fdf4e5e992ab9d3
Instruction Fuzzy Hash: 68D0123880F3C1AFCF230B3018298823F348E0725630808DBF0C89A2A3C5A88481CB72

Uniqueness

Uniqueness Score: -1.00%

Function 033A5B28 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2c5c9f49d3d660469da31fd2e2e7f1dd5166e55d26b642249e9f3e55b817fa
Instruction ID: e2842c79dd2f4aa809cc158ad5b894606d9163ad06687d04258da4acf24409b1
Opcode Fuzzy Hash: 1c2c5c9f49d3d660469da31fd2e2e7f1dd5166e55d26b642249e9f3e55b817fa
Instruction Fuzzy Hash: F5C08C30200A068FEE202BB8A95E12D7B9C8B410073800058E40B89520EF2090004742

Uniqueness

Uniqueness Score: -1.00%

Function 033A2D30 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6967952bc2fec875e6d656e512c6678c51e5db74d83c5d3bef3f0f62f7bb3373
Instruction ID: c2bd9d639d384f1242a7ec79bf66311de5ae28ffb2d25a8084ca3732b1babc7b
Opcode Fuzzy Hash: 6967952bc2fec875e6d656e512c6678c51e5db74d83c5d3bef3f0f62f7bb3373
Instruction Fuzzy Hash: 35C0923418CE08E6E5A8938CAC9EF7BB21CD76CB16F100C02A22FD8CAB1781A1104356

Uniqueness

Uniqueness Score: -1.00%

Function 033A0660 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3404c420e586bf7dc4cfc31363970e4faabcc1d64140d8ccb511aa65e2a54c8b
Instruction ID: a49435436f56812323dde5eb6fefeb878631506d1142aa359ed54760aec25ff9
Opcode Fuzzy Hash: 3404c420e586bf7dc4cfc31363970e4faabcc1d64140d8ccb511aa65e2a54c8b
Instruction Fuzzy Hash: 08C02B31045A04CE821C96B4580C43D720DD7C230F720C435D50100931CE3264518951

Uniqueness

Uniqueness Score: -1.00%

Function 033A5B24 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb41f9d78251e9f3f1cd2d870eea9b3be2dc6907a98dd0c426090d16ce45e5a
Instruction ID: b971733b30c944e92dcca8705e8b802702ca64373acd1e252de4a733e22c9c58
Opcode Fuzzy Hash: 5bb41f9d78251e9f3f1cd2d870eea9b3be2dc6907a98dd0c426090d16ce45e5a
Instruction Fuzzy Hash: 8EB0123020EE0546E9306FA824C862C339C86120573480056E44F8CC20E75480504782

Uniqueness

Uniqueness Score: -1.00%

Function 033A6F24 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 19d8242635f391cc15631ed522efec62372cab6ef41d3d9ded95e7c508e0cc0e
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 59B092B7A04009C9DB00CA88B4823EDF724E790269F104123C31052400C23201648691

Uniqueness

Uniqueness Score: -1.00%

Function 033ACFB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f08dcd358e7e3a066680beb2657e56d6d354fe310362e468cccd9652f4a154
Instruction ID: 2ed0d9c542b08d83f0974e5c4a18f0c49ee519558162cec463b45c8fdedccace
Opcode Fuzzy Hash: 80f08dcd358e7e3a066680beb2657e56d6d354fe310362e468cccd9652f4a154
Instruction Fuzzy Hash: 69B09230009B48DB8200E61AE89E89E772CFB125423904129E5028699C9BB86D0A87A7

Uniqueness

Uniqueness Score: -1.00%

Function 033A2EC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f81f03047b62c070429720dd40e49b90d94e683f353cb435580a014008a6021
Instruction ID: a4adf6317bce70571027b4752c8dbd2eaf7161237ee2d1583ffd47c79569c929
Opcode Fuzzy Hash: 7f81f03047b62c070429720dd40e49b90d94e683f353cb435580a014008a6021
Instruction Fuzzy Hash: 68B01230208A080F675096B56C48E2B338C868040934404A8980CC0010F510D0D03340

Uniqueness

Uniqueness Score: -1.00%

Function 033A6369 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.515883576.00000000033A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_HEUR-Backdoor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e733014966b2ba863bbc10a6484f9dbaf304bc6a14b604d4b9d60a599e72571
Instruction ID: 7c6cdcbc19ab72faf75966812b5ea1ba9cf0a58466191a04d4fe6252385a3313
Opcode Fuzzy Hash: 8e733014966b2ba863bbc10a6484f9dbaf304bc6a14b604d4b9d60a599e72571
Instruction Fuzzy Hash: CEA002386816754BE7499A19485889D7551F5C02363E941FA40549BF61C72C88027D54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 5240, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	65
Total number of Limit Nodes:	5

Executed Functions

Function 00DCB493 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00DCB513

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 55f22a9722029f703f41ac6d8c5955e0e18f2cc6c0e1417f1e962433194a9600
Instruction ID: db4db63c944cb3f6ae56e46d80f1ea75cf07cddfbfab00990332b4045f548610
Opcode Fuzzy Hash: 55f22a9722029f703f41ac6d8c5955e0e18f2cc6c0e1417f1e962433194a9600
Instruction Fuzzy Hash: 5F219F75509780AFDB228F25DC45B52BFB4AF16320F08849AE9858F563D374E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB4CA Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00DCB513

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 2e0c94d2136db03152b6ec66bbf0af7de6ec7087b0191bea5340ab0603a7ca14
Instruction ID: 27aae638c3c182ee538c36c877ba39bb27d1b2c21770f20828f6b083de08ccf8
Opcode Fuzzy Hash: 2e0c94d2136db03152b6ec66bbf0af7de6ec7087b0191bea5340ab0603a7ca14
Instruction Fuzzy Hash: 3C115E726042019FDB218F55D885B66FBE4EF14320F08846EED858B656D375E418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 05267330 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78138879dc56714faf54eb5596d2564d575bebd17177e03d2e5845c6044e79af
Instruction ID: c6eaae5d3930e53b6441fc04e0d133eff02de642e71a9e9f586ba8b0dc0685c0
Opcode Fuzzy Hash: 78138879dc56714faf54eb5596d2564d575bebd17177e03d2e5845c6044e79af
Instruction Fuzzy Hash: 72514A31F25245CFC704DB78A84566EBBF6EF84318F0D8467D806EB360DA74C84487AA

Uniqueness

Uniqueness Score: -1.00%

Function 05267320 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f739af99004540588c9ca3c51689e0f1ee0141cbc8bff786ee8f1d2be6b1e3
Instruction ID: 928aa446d10f3279f505e0153bb0b0ed42a75460f0de681d0cc2aeb235071276
Opcode Fuzzy Hash: 93f739af99004540588c9ca3c51689e0f1ee0141cbc8bff786ee8f1d2be6b1e3
Instruction Fuzzy Hash: 3C512C31E25241CFC704DF75E84966EBBB3FF84314F194466D806EB360DA74C9508BAA

Uniqueness

Uniqueness Score: -1.00%

Function 02962411 Relevance: 4.9, APIs: 1, Instructions: 3383
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02962453

Memory Dump Source

Source File: 00000002.00000002.284712371.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2960000_dhcpmon.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1639cee446da19f8aeb148998a1e7d9c354ae6346d004cd4f0c9588d64cbbe56
Instruction ID: 54dfdf656192321e467b42c3a4f0d4ae7bc54525fa9b6add89138dc1a02ef71a
Opcode Fuzzy Hash: 1639cee446da19f8aeb148998a1e7d9c354ae6346d004cd4f0c9588d64cbbe56
Instruction Fuzzy Hash: 9C935274D067688FCB609FA0ED4C69DBBB5BB48301F1045DAE90AE7364DB349A81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 051AA209 Relevance: 1.9, Instructions: 1884
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.285599598.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51a0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33db1dcdf1a8372d9f25993c076cf4f5c79d77b9ae6e291744e0c3b9280e730
Instruction ID: 6d288d16c0b0d242602960aab2128c0f7b99a531af38cc999caceaade1eeaa6e
Opcode Fuzzy Hash: e33db1dcdf1a8372d9f25993c076cf4f5c79d77b9ae6e291744e0c3b9280e730
Instruction Fuzzy Hash: 7F2363B4D123299FCB60AF70DD4869EBBB5BF89301F1085EA950AE3350DB359A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB9CC Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcesses.KERNEL32(?,?,?,D01596B1,00000000,?,?,?,?,?,?,?,?,6C903C38,?,00000001), ref: 00DCBA72

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 3ef7fe49ab0ce4ad293d6ab08b8307f1dec09156a7fd2df1a44e9fa0bcefe6b3
Instruction ID: d8371c5e3f73e7369c0c97c801b5b94b8031f9c74fc61579f50db8f8c16766eb
Opcode Fuzzy Hash: 3ef7fe49ab0ce4ad293d6ab08b8307f1dec09156a7fd2df1a44e9fa0bcefe6b3
Instruction Fuzzy Hash: B831387140E3C05FD7138B758CA5A92BFB4AF57210F0E84DBD984CF1A3D2689909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAA6A Relevance: 1.6, APIs: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DCAB0D

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4a64f9e69d84387f427c41a325d0eddb2f8f12841a4196a00a0796ba493d2874
Instruction ID: 12d063c13de47e32cfcbc74c11aff5d9967b6e9e6723ce0dbddfe77226316628
Opcode Fuzzy Hash: 4a64f9e69d84387f427c41a325d0eddb2f8f12841a4196a00a0796ba493d2874
Instruction Fuzzy Hash: 36316B71504344AFE722CF25CD44FA6BBE8EF46214F0884AEE9858B652D365E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB700 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCB79A

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: dcfd7dc5fd99fe0a4a5773acb6b21c390740aa5297ef43585f3356922397588d
Instruction ID: 098fe27a535fea9e4ac8c782fe30e653b2b6578cb8a04423bc0182b0f2500316
Opcode Fuzzy Hash: dcfd7dc5fd99fe0a4a5773acb6b21c390740aa5297ef43585f3356922397588d
Instruction Fuzzy Hash: 3031A0725097806FE7128F20DC85F96BBB8EF56324F0884DAE9849B192D364A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA8B6 Relevance: 1.6, APIs: 1, Instructions: 89
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DCA95D

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0891c634a3421fca355e17ad58cf05b5567841f6107124f556fe41e80f50c23a
Instruction ID: bf1029637fa98e51859a27f4379a9684b169acb8be5a4cf1ffaf7894b87764e0
Opcode Fuzzy Hash: 0891c634a3421fca355e17ad58cf05b5567841f6107124f556fe41e80f50c23a
Instruction Fuzzy Hash: C431AD715097806FE712CB25CC85F96BFF8EF06314F09849AE9848B292D374E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB7F9 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCB88A

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 3bda38578cb22fc858438ea31e07c9ee6073fee2fba052ef4fc7f3f481d5bb14
Instruction ID: 78fdd198db1c13419302d2c974955137cdd21a2057457bfab5738247690616de
Opcode Fuzzy Hash: 3bda38578cb22fc858438ea31e07c9ee6073fee2fba052ef4fc7f3f481d5bb14
Instruction Fuzzy Hash: 842182715053846FEB118F21DC45FA6BBBCEF56220F0884ABE945DB152D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB8F0 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E2C,?,?), ref: 00DCB996

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: b612c90da8b67372701365316144003b662296d3779758e197465b31df392c6b
Instruction ID: 6269571d8caf950f71e068b69e049e2ebe97b377a25f5bb660c027950d5d6ccf
Opcode Fuzzy Hash: b612c90da8b67372701365316144003b662296d3779758e197465b31df392c6b
Instruction Fuzzy Hash: CA21AD714093C06FD712CB65CC55F66BFB8EF87610F0984DBD8848F6A3D224A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAB64 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCABF9

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b2e12e4dcb54552678aa73790a78519231bd393b962f9ffecbab5e31ade6e4e5
Instruction ID: 698ee4186710f26090a14eac87a3cd0095d0f7387aa7279adf362c15a44ec2e0
Opcode Fuzzy Hash: b2e12e4dcb54552678aa73790a78519231bd393b962f9ffecbab5e31ade6e4e5
Instruction Fuzzy Hash: 292106B54057806FE7128B21DC81FA2BFB8EF56324F0884DAED848B293D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA078 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00DCA10E

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 78eaccca77f59ff4f1a538cb6a3ed0bb5964bd4b7b6e5d055228423719f1437c
Instruction ID: 4dbc431fadf2190c4d8aa7d593a03116a92be8c7b83de778ff0294f0ff929c51
Opcode Fuzzy Hash: 78eaccca77f59ff4f1a538cb6a3ed0bb5964bd4b7b6e5d055228423719f1437c
Instruction Fuzzy Hash: 0B21C47140D3C06FC3128B25CC55B66BFB8EF87610F1985DBD9848F693D224A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAA8E Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DCAB0D

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1200bf3a9422d56a77b0aa95b35e865744d7e98b49f2c89bd1f88d1089833280
Instruction ID: 4fbb99ecbb8575dc57088b506cc9902c5f18b63d43daf367a56bf8a8e42cf0df
Opcode Fuzzy Hash: 1200bf3a9422d56a77b0aa95b35e865744d7e98b49f2c89bd1f88d1089833280
Instruction Fuzzy Hash: C921B271500204AFE721CF65CD45F66FBE9EF14314F08846EE9858B651D375E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA8EA Relevance: 1.6, APIs: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DCA95D

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5cd9373d99bf17e898b497d7168d97b261ce07a3ad77d5b3e055c9bb2b52db0e
Instruction ID: c2f49d658a12e3570f2e9fee16ec8a4c0aa8d81b23cb0c74529804c7871b90b3
Opcode Fuzzy Hash: 5cd9373d99bf17e898b497d7168d97b261ce07a3ad77d5b3e055c9bb2b52db0e
Instruction Fuzzy Hash: 3721AF71604204AFE720CF25C986FA6FBE8EF04324F18846EE9498B641D774E808CA76

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA728 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCA798

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7a5753a7f1a8117d936afed7595847db7ce242c5dcd17ac9ed5df7174993a142
Instruction ID: 9004cd7f7805c982d41db7fad701b883603fee459946cb969c0ed37c104cd1af
Opcode Fuzzy Hash: 7a5753a7f1a8117d936afed7595847db7ce242c5dcd17ac9ed5df7174993a142
Instruction Fuzzy Hash: 1021DEB24093C49FDB128B25DC95B92BFB4EF13324F0980DBDC848F5A3D2649909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAE46 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCAEC5

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c420ed444d2b0bb0571059a34266c3c4e2efdbb7858e5cd185db28acce61fb4b
Instruction ID: 6fd48773c281eac61a1e14ee4c8d2623f03c183d5cc107b18523fc034af54256
Opcode Fuzzy Hash: c420ed444d2b0bb0571059a34266c3c4e2efdbb7858e5cd185db28acce61fb4b
Instruction Fuzzy Hash: 62218E71409784AFDB22CF61DC84F96BBB8EF55224F08849AE9499B152C364A408CB76

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB560 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCB5CC

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ecc82fd9bcc8323894696c03618b175bc9d6e3195ee8ea135ad12eeee2b24c36
Instruction ID: 41e0acbedd07cb2533f0e3c9c821d47367339e62b2dde23df73db4eb4d329eac
Opcode Fuzzy Hash: ecc82fd9bcc8323894696c03618b175bc9d6e3195ee8ea135ad12eeee2b24c36
Instruction Fuzzy Hash: CA21AE725093C05FDB028B25DC95B92BFB4AF57324F0D84DBEC858F663D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB826 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCB88A

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: b0e967bad900d0aad5139e8877cca4a7066770b7b46e69feae4498c0bb493e11
Instruction ID: 6224a7f2f4eaf0c084ef0944578ed13e03737a4b52aa315fb23a488bb4dfea6e
Opcode Fuzzy Hash: b0e967bad900d0aad5139e8877cca4a7066770b7b46e69feae4498c0bb493e11
Instruction Fuzzy Hash: 80116D71600605AFEB20CF65DC85FA6B7ACEF15324F18846BED49CB651D764E8088A71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB287 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00DCB2F6

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 800464723badaa3006276ef659b69db33bbfc5e08e6796e2f4aefb9d88cff414
Instruction ID: 195dd7672542f1108aa6b7134ea3b82d568fbf85595dd5e33159211d658c7e8d
Opcode Fuzzy Hash: 800464723badaa3006276ef659b69db33bbfc5e08e6796e2f4aefb9d88cff414
Instruction Fuzzy Hash: 0E216D715093816FDB228F25DC45B66BFB8EF56620F0884AEED45CB252D264E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB73E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCB79A

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: eddd72b10d9615461378f7d4dc389b1c3a62013c2f3b36f2e93ce3e5a923cfa0
Instruction ID: 1bb71c9467ecad6f0b2ec338c64aaf516566f2f69eef9f5ef9d20b78aabca2ca
Opcode Fuzzy Hash: eddd72b10d9615461378f7d4dc389b1c3a62013c2f3b36f2e93ce3e5a923cfa0
Instruction Fuzzy Hash: 43119072504604AFEB21CF65DC85FAAF7A8EF54324F14846AED498B681D774E8088B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAE66 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCAEC5

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: aed2cd472eb878eb7f19ee68551b48fdb7eacd9774db32b15d60834d1487b420
Instruction ID: 19151b17cbacc3425381e230005bca4743434913926b92cba1343eea833d627c
Opcode Fuzzy Hash: aed2cd472eb878eb7f19ee68551b48fdb7eacd9774db32b15d60834d1487b420
Instruction Fuzzy Hash: 3D11B272500604AEEB21CF55DC85FA6FBA8EF24328F14846EED499B641D374E408CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA20C Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DCA275

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ba91e356f63ed0b956d8ff44811142a7960658ca34fdf1b99b0aee03b8d74485
Instruction ID: 869d3badba0bcdd6b0b9db3191fc346c19af8c76a31731681533a5d0d58283ad
Opcode Fuzzy Hash: ba91e356f63ed0b956d8ff44811142a7960658ca34fdf1b99b0aee03b8d74485
Instruction Fuzzy Hash: A811B131508380AFDB228F25DC44B62FFB4EF46314F0884DEED854B562C261A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00DCB2F6

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2c8aa07acef441e047db5e94de11f36e7bb650aaf3bbb0d18f7236e4f4210e15
Instruction ID: 4e4a29acc28a74376d61c456ee2e11b43b2a1374ef147632570d3a37ba3c430f
Opcode Fuzzy Hash: 2c8aa07acef441e047db5e94de11f36e7bb650aaf3bbb0d18f7236e4f4210e15
Instruction Fuzzy Hash: 02115E726002419FDB20CF66D886B6AFBE8EF15720F08846FED49CB651D774E808CA75

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB138 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00DCB18C

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: bcb8da2904b276f07159745d09ab424b90bb977f8a475b7aec44d67cf0345403
Instruction ID: 075fe7a781b3ba2fc74ce00cccce2c3b47905089949d6e6920160b1347d5826e
Opcode Fuzzy Hash: bcb8da2904b276f07159745d09ab424b90bb977f8a475b7aec44d67cf0345403
Instruction Fuzzy Hash: 0411E1715093809FCB128F25DC95B52FFB4DF06220F0C80EFED858B252D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCABA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,D01596B1,00000000,00000000,00000000,00000000), ref: 00DCABF9

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e202d209b3135cbdf042606ff96bb639ba5ac75ba4379960bd4000143905cae1
Instruction ID: 6c54a4ce11f284cc5d2b6f01f10a823aa909ae1296635964f2dc718c0f063f0b
Opcode Fuzzy Hash: e202d209b3135cbdf042606ff96bb639ba5ac75ba4379960bd4000143905cae1
Instruction Fuzzy Hash: EE012275500604AFE710CB15DD85FA6F7A8DF24328F18C09AEE489B741D374E8088B72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA3B8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DCA40C

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 12c2ef7f2963ad68621f349b5facba03ac7e6c943b5ad27239bbd97c83569747
Instruction ID: 4228165de5da4efbffb4605d00617deeddeafacd613ef2618aeb92013618dd58
Opcode Fuzzy Hash: 12c2ef7f2963ad68621f349b5facba03ac7e6c943b5ad27239bbd97c83569747
Instruction Fuzzy Hash: 93116171409384AFDB128F15DC88B62FFB4DF56624F0880DAED858B252D265A818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBA32 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,D01596B1,00000000,?,?,?,?,?,?,?,?,6C903C38,?,00000001), ref: 00DCBA72

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: c199e51c7a389a31e5ca5c05f32b06da2b21f3e4e4ebee81346e5b710d929dc1
Instruction ID: 43dc7004b0f684987e4fbf1da91a9816db65de3719e5de349bdd5a8bc82ab639
Opcode Fuzzy Hash: c199e51c7a389a31e5ca5c05f32b06da2b21f3e4e4ebee81346e5b710d929dc1
Instruction Fuzzy Hash: CD1139716002019FDB10CF65D886BA6FBA4EF14320F0884AEDD89CB651D7B5E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB946 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E2C,?,?), ref: 00DCB996

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: e643aa87661752bf21f933abe4461488b241db6eee7cdfaff60e403f49b3b94d
Instruction ID: 00511fb93d43ea8d4cd543b78d525345802e5e01ef393fde658f30efb46b34c5
Opcode Fuzzy Hash: e643aa87661752bf21f933abe4461488b241db6eee7cdfaff60e403f49b3b94d
Instruction Fuzzy Hash: FC01B171900200AFD710DF16DD85B66FBA8EB88A20F14812AED088BB41E231B519CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA0BE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 00DCA10E

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 84d005b4ab4697dd4630481469d57908a45a4b953158102230471385e0482763
Instruction ID: b582e0330b4e1b23a6f2fcb36909e469280ec3312521c008d0c0778330222d4a
Opcode Fuzzy Hash: 84d005b4ab4697dd4630481469d57908a45a4b953158102230471385e0482763
Instruction Fuzzy Hash: 3F01B171900200AFD710DF16DD85B66FBA8EB88A20F14816AED088BB41E235B519CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA766 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCA798

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 71defa3374a3f23f90c743d32f673ffb0c836e77b82698d152df5a4dd3cc95f9
Instruction ID: cee2b69bd7dcb517dd0194a3bc7045c8a15a1afb63a53875f4a5864e660036ab
Opcode Fuzzy Hash: 71defa3374a3f23f90c743d32f673ffb0c836e77b82698d152df5a4dd3cc95f9
Instruction Fuzzy Hash: 470184759042459FDB108F29D885B66FBA4EF15324F18C4AFDD458F641D274E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB59A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DCB5CC

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c068c58051aa803741ae0ab73b5ab58d64befa684c95141e1b5aad80867fe44c
Instruction ID: 838725553d997ef73676f65d92e8a70f9b1e53f872d8244d8252b6550ce4cdd7
Opcode Fuzzy Hash: c068c58051aa803741ae0ab73b5ab58d64befa684c95141e1b5aad80867fe44c
Instruction Fuzzy Hash: 17019A716002409FDB108F25E88ABA6FBA4EF15324F0880ABDD898F642D374E408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA23A Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00DCA275

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 864f9f0e7db39655dda3861db05b8acf3fc939826613aa4cec75458a38ec613b
Instruction ID: 1f8d78495277c908770078ec8c0473f8032dd53d3e5fcdb9920d67691f8fc36c
Opcode Fuzzy Hash: 864f9f0e7db39655dda3861db05b8acf3fc939826613aa4cec75458a38ec613b
Instruction Fuzzy Hash: 4701D4365002059FDB208F59D885B66FBA0EF15324F08C09EDD454B611D376E818DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB15A Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00DCB18C

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 303fe75e676ba8ea82e67c3ecd7be51485d8c854e832f48d43812652f940bd05
Instruction ID: 50a504df4b2b54aff77c1c367d4ac068e8173796de3616e3b47361e5fa450158
Opcode Fuzzy Hash: 303fe75e676ba8ea82e67c3ecd7be51485d8c854e832f48d43812652f940bd05
Instruction Fuzzy Hash: 67018675A002419FDB108F15D88ABA6FBA4EB15334F08C0AFDD498B752D375E808CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA3DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DCA40C

Memory Dump Source

Source File: 00000002.00000002.284403911.0000000000DCA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dca000_dhcpmon.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 14f6aacd964e93507babfffcf6a6645b8a500e50ad001ad5d51ea93c29bfd19a
Instruction ID: 5c06ddbc609a59dbc823f9cc3fc74d44365b8265ee643ef956862fa940047ee5
Opcode Fuzzy Hash: 14f6aacd964e93507babfffcf6a6645b8a500e50ad001ad5d51ea93c29bfd19a
Instruction Fuzzy Hash: CEF0A4355042459FDB14CF09D889B61FBA0DF15338F48C09EDD494B712D3B5E408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 02960C20 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02960C30

Memory Dump Source

Source File: 00000002.00000002.284712371.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2960000_dhcpmon.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0e61571415c4454f1f06c2b4e1b1f8278faa7a99003cb13b45c331d6404639f8
Instruction ID: 303138a430ec8bfabd7e0feb68a6cb766cbb1efae46bc3fc970f5f3c323e18d3
Opcode Fuzzy Hash: 0e61571415c4454f1f06c2b4e1b1f8278faa7a99003cb13b45c331d6404639f8
Instruction Fuzzy Hash: 34C08C2080A2806FDB024F2088481003FB1AD0320038206E6C186DB433862C080ECB3B

Uniqueness

Uniqueness Score: -1.00%

Function 05267AE8 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac99f09c199aacc9ba0288ab3dbc11c440382630938bd1a9a8e10ea5978175f7
Instruction ID: 06901de305127a571458d78fee61b242842b98160dc467da17fa09972b7410a1
Opcode Fuzzy Hash: ac99f09c199aacc9ba0288ab3dbc11c440382630938bd1a9a8e10ea5978175f7
Instruction Fuzzy Hash: 19322C327113118FCB19AB74D866B6E37A3AF89308B10487DD5069B394EF3A9C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 052687E2 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5028b648c1f93d7c73a9d612ad1ff5f0750ab6ab90d78dfbf1bc51cafa28c5
Instruction ID: 23f8bf818e5652c1c20e37003376c72ae5e1ce5e6ed36ea05ca91cb79b1dd110
Opcode Fuzzy Hash: 2d5028b648c1f93d7c73a9d612ad1ff5f0750ab6ab90d78dfbf1bc51cafa28c5
Instruction Fuzzy Hash: BA129F31B002199BDB14EB74C891BADB7B3AF88304F1485A9E509AB396DF34DD86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05267ABA Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359b4ff453e80608bf5c0f23c8a75fd10966c615c417fb875937f96592547a8d
Instruction ID: 7d0a7db1701b53bc0c49bb0a664cdb9d2831a4d5652d8f2729a9a16155b0ffb0
Opcode Fuzzy Hash: 359b4ff453e80608bf5c0f23c8a75fd10966c615c417fb875937f96592547a8d
Instruction Fuzzy Hash: F3D18E327013019BDB18AB74D856B6E73A3AF89358F14487CE5069B394EF39DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05267AD7 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e092bcb10b52fb8a4f536a3709da63f1b743333d190318af5fa5674631b2e94
Instruction ID: 958bb1536e76e5d56467efc9f08728e2b488ac301085d7db41136bf544b85307
Opcode Fuzzy Hash: 3e092bcb10b52fb8a4f536a3709da63f1b743333d190318af5fa5674631b2e94
Instruction Fuzzy Hash: 16D18F327013019BCB18AB74D866B6E73A3AF89318F14483DD5069B394EF3ADC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05267B10 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd5e66cbac5406e26b42e2c2ce8d8acac5fec71ce0cd9f379bc198f2cc4116d
Instruction ID: a422983e97620608da211133356228c965d25a2912943af3b5861ae1f7c39c5f
Opcode Fuzzy Hash: 9cd5e66cbac5406e26b42e2c2ce8d8acac5fec71ce0cd9f379bc198f2cc4116d
Instruction Fuzzy Hash: 56C16E327013019BCB18AB74D856B6E73A3AF89358F24487DD5069B394EF3ADC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05267E4E Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f24c3a01aa951a579870c89bb1d10f5c17d34fe4d30f5b5d4da0cb2d01a3d9
Instruction ID: a9dbfdf50e60ed218d8c046c91132c2132c89efc9c7890418f86ec29d5ed711f
Opcode Fuzzy Hash: 73f24c3a01aa951a579870c89bb1d10f5c17d34fe4d30f5b5d4da0cb2d01a3d9
Instruction Fuzzy Hash: 497121327413118BCB18BB74E556B6E73A2AF85309F10487DD5069B394EF39DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0526822E Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0a965fd31ff3a6c720fbde4bc9b1b342b1e802ce62d53fce32543fc8959f21
Instruction ID: 66a164e9f0fe994a2acbc8c1d860915def579f0da60d4165c63f208cc139fb68
Opcode Fuzzy Hash: fe0a965fd31ff3a6c720fbde4bc9b1b342b1e802ce62d53fce32543fc8959f21
Instruction Fuzzy Hash: 7A5101327413118FCB19BB74E566A6E33A3AF85709710487CD5068B7A4EF3ADC4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 0526857A Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285665216.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5260000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a57dfc7bf0c444f6b98e6120b7796737d108f1fa181147ec6d8e54ffd52b41
Instruction ID: 547a405a2d2e981fe0671325d10c282b008e47196cc05a16792af69de73faaf5
Opcode Fuzzy Hash: d5a57dfc7bf0c444f6b98e6120b7796737d108f1fa181147ec6d8e54ffd52b41
Instruction Fuzzy Hash: 9C312A31F201154BCB149B788861AEE76E3AFD9294F25417DD806FB354DF748C814BD1

Uniqueness

Uniqueness Score: -1.00%

Function 051A9BB0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285599598.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51a0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d1eb3db70a10b40494611405c8ec07145566a9dc87f3fad7ec6c2e44eaa296
Instruction ID: 566e4770de02723a3b6d79c9c44b1df0ff1a55ce29dc3f6610f8981b59216f79
Opcode Fuzzy Hash: 10d1eb3db70a10b40494611405c8ec07145566a9dc87f3fad7ec6c2e44eaa296
Instruction Fuzzy Hash: 84318E317086924BDB06D77848117AE7BA7ABC5650F15887BE105DF349DF34DC454362

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA887 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff5f062f1a568304eefb702fce2c14a94745906d3722219b03196bd09342887
Instruction ID: 1d8713d716eadb471a3c4de2375617c415c07aa1900ff70237dafb5aba1a496c
Opcode Fuzzy Hash: aff5f062f1a568304eefb702fce2c14a94745906d3722219b03196bd09342887
Instruction Fuzzy Hash: 32317FB6509340AFD310CF05DC45A57FBE8EF89620F09C86EFD4997611D271E8188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAF44 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b821be0f0f93c9ce73138ac487ef707820e6760df22da6dc747e0d7dec32667c
Instruction ID: 4fc53b94e40ca5fa9b97d483e3db76bf0fb4034f453836448d0a48497f0e90d6
Opcode Fuzzy Hash: b821be0f0f93c9ce73138ac487ef707820e6760df22da6dc747e0d7dec32667c
Instruction Fuzzy Hash: EE316DB6509340AFD310CF09DC41A57FBE8EB89620F08C86FFD5997311D271A818CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAC08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9adf6b0cd3333f763cf107857a33e954a10dba79b33fb7e76e329889fc4854
Instruction ID: 0e60405e54a4d935924a19484b540d8eabcae025b601a740745b6ecb8efcfe2a
Opcode Fuzzy Hash: aa9adf6b0cd3333f763cf107857a33e954a10dba79b33fb7e76e329889fc4854
Instruction Fuzzy Hash: 3D21B276505300BFD3108F46EC45A57FBA8EF85670F09C86FFD099B611D275A8188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA670 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce2658411e4cdf4ae79d16e9f680c9bf7cb0b50f30022f3b43fc4066ebc599c
Instruction ID: 6ba4d6778aecc36e18833363020e585fa73800f7c014ce1189220dc5400cb3ee
Opcode Fuzzy Hash: 0ce2658411e4cdf4ae79d16e9f680c9bf7cb0b50f30022f3b43fc4066ebc599c
Instruction Fuzzy Hash: CF312BB550D3809FD302CF258851A56BFF4EF8A614F0989DFE888DB252D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA8B2 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b98798430a32c0e199f50eb7c5d87c697cd31931efd2dba7ae6cf33bb8941ac
Instruction ID: a6041854d83cc0a2094b07272e2199c17722f8e7be2970a3c339f69decb45118
Opcode Fuzzy Hash: 2b98798430a32c0e199f50eb7c5d87c697cd31931efd2dba7ae6cf33bb8941ac
Instruction Fuzzy Hash: 01212FB6544300AFD310CF06EC41A57FBE8EB88670F14C96EFD5997711D275E9188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAF6E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b880852b83b1a1f89639bfafa68c28914b095e5cf1bc347aa771442e9e7d23b
Instruction ID: 91471edcca7710a5d5533bc735620e20ca3adaf3a51fe4161b33efbfb39383ae
Opcode Fuzzy Hash: 8b880852b83b1a1f89639bfafa68c28914b095e5cf1bc347aa771442e9e7d23b
Instruction Fuzzy Hash: D42130B6644300AFD310CF06EC41A57FBE8EB88630F14C96EFD5997711D275E9188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAC2E Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1e6ce004f6d6456306f815b244d7768d0321e74b77a6e313e565d662c8c10a
Instruction ID: 774aeeb4ac49bafc156b23a6c2dfaa3a71f43aaecfd5b3b18687d5210be803e4
Opcode Fuzzy Hash: bb1e6ce004f6d6456306f815b244d7768d0321e74b77a6e313e565d662c8c10a
Instruction Fuzzy Hash: E6118176544200BFD6108E06EC41A67FBA9EB84670F18C86EFD095B711D276E8188AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAE98 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925f28299a23a35c802091d3e5639911b9d36f93a9fdab9ff36a2faea2f7e9fb
Instruction ID: ef77c8f2189ec36d3ecf5eea017e79917ba81cd592f23a43bc742507f71e16d7
Opcode Fuzzy Hash: 925f28299a23a35c802091d3e5639911b9d36f93a9fdab9ff36a2faea2f7e9fb
Instruction Fuzzy Hash: 97215CB550D380AFD702CF25DC51956BFF5EF96620F0988DEF8889B252D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA6B1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50055d948edca157efc927b21c7ff18cc2896632c697fe7df02bc26c04e92975
Instruction ID: 652c57625d227d32c00d4e5e3b1b5894cf5344af1e6d6c6a29dd12c9c2d58438
Opcode Fuzzy Hash: 50055d948edca157efc927b21c7ff18cc2896632c697fe7df02bc26c04e92975
Instruction Fuzzy Hash: 6D11DAB5508301AFD340CF19D881A5BFBE4FB88664F04895EFD98D7311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A005CF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284765621.0000000002A00000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a22b3591999c70269cf8f2968d9d31fd381dd4523acc2605430fecf57ac4608
Instruction ID: 5125c678ef3833f7884d4c3e4efa5f72e90d35e250c410738c587a3ea31a36e1
Opcode Fuzzy Hash: 0a22b3591999c70269cf8f2968d9d31fd381dd4523acc2605430fecf57ac4608
Instruction Fuzzy Hash: 9501D67650D7806FD7128F16EC41862FFB8EF86120709C49FEC89CBA12D225A819CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02A005F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284765621.0000000002A00000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54392307f8eb2dde6b0c13eb21865fd68685ae4854c6e89f2b3b40cf1ffb5e8c
Instruction ID: 142df22b678aa08147c597f9cea3b29b9cf31163e5bddc98c1e1c2a4927a563d
Opcode Fuzzy Hash: 54392307f8eb2dde6b0c13eb21865fd68685ae4854c6e89f2b3b40cf1ffb5e8c
Instruction Fuzzy Hash: 2FE06D766046045B9750CF0AEC81452F7A8EB84630718C06BDC0D8BB00E676F5188EA6

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA83F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af1cfdd6f46717e1aba1cb8db740ec6d9b46e91f54206c48fd143fe8c7cb5a6
Instruction ID: deca9e0719106ca396a1d123fd6ce10eb687bb689cf148f2b45843281a2860d5
Opcode Fuzzy Hash: 4af1cfdd6f46717e1aba1cb8db740ec6d9b46e91f54206c48fd143fe8c7cb5a6
Instruction Fuzzy Hash: F6E048726412046BD2509F06DC86F52F79CDB54970F18C55BED085B701E1B5F5188AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DDABBF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73daa8715104c08ac80e70dc48376b98275f103866fcbed7019182e8fd5b6095
Instruction ID: 9ade8f819062b1261bdeaf0538625630d689f5356ee24422acf82071953e180d
Opcode Fuzzy Hash: 73daa8715104c08ac80e70dc48376b98275f103866fcbed7019182e8fd5b6095
Instruction Fuzzy Hash: DBE02072A413006BD2108F06DC86B53F79CDB40930F48C46BED0C5F701E1B5F5088AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAEFB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3135d250393373ab8b0b24548e49afd56ad08b91568d78f44d3701f6477b7133
Instruction ID: 9f7c8a6e795365df5710207c5aa7437fa4bb8ea22be7d275587d80e890f3806e
Opcode Fuzzy Hash: 3135d250393373ab8b0b24548e49afd56ad08b91568d78f44d3701f6477b7133
Instruction Fuzzy Hash: EBE0D8726413006BD2108F06DC86F52F798DB50930F14C45BED085B701E1B1F5188AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA713 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284439417.0000000000DDA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dda000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ce5f39f6f50cb922a78a673d0445d544075c6692952915cf13d51b9c4930ac
Instruction ID: 386c704969a0519144da5f389593113bd5e2b39dcb5bc2f696821fbfd41a5e8d
Opcode Fuzzy Hash: 77ce5f39f6f50cb922a78a673d0445d544075c6692952915cf13d51b9c4930ac
Instruction Fuzzy Hash: 43E0D8726413006BD2109E06DC86F53FB9CDB50A30F08C45BED085B702E1B1F5188AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DC23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284395440.0000000000DC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dc2000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbab0d56a4a7d2bd640f7c2402fe913f729139217b7f97c7f4534f964ca6b6f
Instruction ID: de5fd14ef56091fc0fb5b0d234c19d36aab865fac765393f7fcfb504d6725b4c
Opcode Fuzzy Hash: 6fbab0d56a4a7d2bd640f7c2402fe913f729139217b7f97c7f4534f964ca6b6f
Instruction Fuzzy Hash: D9D05B752556C14FD3168A1CC165F9537946B61704F4A44FDD8408B767C368D981D110

Uniqueness

Uniqueness Score: -1.00%

Function 00DC23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.284395440.0000000000DC2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_dc2000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e3697af2463f94b4e436290ad8acaebc574c59d7d6445b67f03d8c15b4a7fc
Instruction ID: 8bc3ab100ca37549a7bf59dd29daa7402461dc7d9bd071b8326f58795d9e99dc
Opcode Fuzzy Hash: 34e3697af2463f94b4e436290ad8acaebc574c59d7d6445b67f03d8c15b4a7fc
Instruction Fuzzy Hash: 91D05E343042864BCB15DB0CC194F6937D4AB51B04F0A44ECEC008BB62C3B9DC81C610

Uniqueness

Uniqueness Score: -1.00%

Function 051AC7A6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.285599598.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_51a0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfe13f526053d1ba4bdd6bb662e26f98347e396cd32e2344058fed1afb141d5
Instruction ID: dbd7c6c0f6cb709a21e8fd3384c27f53cb74e298e395eabd2029a084a16338e5
Opcode Fuzzy Hash: 4cfe13f526053d1ba4bdd6bb662e26f98347e396cd32e2344058fed1afb141d5
Instruction Fuzzy Hash: 1CD05EB9A05218CFC736DB28E8585787B72AF88310F11C192E50BC3360DB316D90DF61

Uniqueness

Uniqueness Score: -1.00%

Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000000.245601499.000000000016C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000002.252344344.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamedll.exe4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000000.00000003.248416107.0000000003825000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedll.exe4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000003.252420555.000000000150C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe, 00000001.00000002.516146416.0000000003751000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe
Source: HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe	Binary or memory string: OriginalFilenameProcexp.exeB vs HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Static File Info

Windows Analysis Report
HEUR-Backdoor.MSIL.NanoBot.gen-e1cfeeaabcfa93.exe

Function 049515E9 Relevance: 7.9, Strings: 6, Instructions: 356
COMMON

Function 04952411 Relevance: 4.9, APIs: 1, Instructions: 3383
libraryCOMMON

Function 00A8AFD7 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON